As the saying goes, “better later than ever”. This seems to hold particularly true for the Italian Decree on Virtual Asset Service Providers (VASP), which will regulate the business of companies and individuals offering crypto services to Italian customers.
A long-awaited Decree
Almost four years went by since the draft version of such Decree, which had been subjected to public consultation in the first months of 2018 (the consultation closed on February 16, 2018).
This week, the long-awaited Decree was finally approved by the Italian Ministry of Economy (MEF), although it is still due to be officially published. The VASP Decree irons out some queries and wrinkles on VASPs that provide their services in Italy. It provides for the establishment of a VASP Register kept by the Italian competent authority (OAM – Organismo Agenti e Mediatori) and aligns the Italian legal framework with the AML recommendations issued by the GAFI/FATF at the international level.
The Italian VASP Decree in a nutshell
The VASP Decree is most certainly an essential component of the overall legal and regulatory framework that the Italian legislator is building up around cryptos and it calls for a close scrutiny of the new obligations VASPs are about to be exposed to.
As word of comfort, it is worth highlighting from the get-go that the VASP Decree does not introduce any material requirement for the purpose of the registration and, thus, will not impose significant hurdles to the performance of VASP services in Italy. Yet, the VASP Decree will impose a set of reporting obligations that will have a material impact on VASPs.
This is perfectly in line with the very aim of the VASP Register, which has been conceived for information and reporting purposes. Not only will the OAM regularly receive the reporting from the VASPs, but it will also have to cooperate with other Italian authorities (e.g. the MEF, the Italian Financial Intelligence Unit, the Bank of Italy, the Italian Fiscal Police, etc.) by transmitting to those authorities, in certain circumstances and for the purpose of facilitating the exercise of their respective powers, any piece of information and document collected in connection with the management of the VASP Register.
From the VASPs’ vantage point, hence, the VASP Decree pretty much boils down to its operational impact and therefore to the need to get prepared for discharging the reporting obligations to the OAM, as well as for complying with the Italian AML obligations.
What is the scope of the new rules?
The new rules will apply to services performed in relation to any “virtual currency”, which is defined under Italian law as any digital representation of value, not issued or guaranteed by a central bank or public authority, not necessarily linked to a fiat currency, used as a medium of exchange for the purchase of goods and services or for investment purposes and transferred, stored and traded electronically.
The definition of virtual currency was already included in the Italian AML Decree, which imposed the application of the Italian AML obligations to “providers of services relating to the use of virtual currencies” (e.g. crypto exchanges or similar platforms, etc.) and “custodian wallet providers”, in line with the EU AML Directive.
In addition to the AML requirements provided for under the Italian AML Decree, VASPs will now have to comply with the registration and reporting obligations introduced by the VASP Decree in order to perform their services in Italy.
How will the VASP Register work?
Only VASPs that will be enrolled in the VASP Register will be allowed to offer services related to virtual currencies or custodian wallets in Italy.
For VASPs established as legal entities, the only requirement to be enrolled in the VASP Register is to have the registered and administrative office in Italy or, in case of EU entities, an Italian branch (stabile organizzazione).
The OAM will have to establish the VASP Register within 90 days of the entry into force of the VASP Decree (i.e. by May 2022, assuming that the VASP Decree will be published in the next few weeks).
The VASP Register will be publicly available and the following data will be published:
- identification data of the VASP;
- tax identification number or VAT number (if any);
- information on the type of services offered to the customers;
- address of the physical offices used to carry out the business (including any ATMs), and/or the web address used for the provision of the service.
VASPs will have to transmit an electronic communication to the OAM in order to be enrolled in the VASP Register.
The OAM will assess whether the notification and documentation are complete and consistent with the applicable requirements, and will approve or reject the application within 15 days of the date when the notification is filed.
What are the services that VASPs can perform in Italy?
The VASP Decree provides a description of the different types of services related to virtual currencies that VASPs are allowed to carry out. Although such list of services is provided only for the purpose of the OAM notification, it is particularly relevant in order to further define the scope of application of the VASP Decree.
According to the VASP Decree, VASPs that apply for registration in the VASP Register can offer one or more of following services:
- services that are instrumental to the use and exchange of virtual currencies and/or their conversion from or into fiat currencies or digital representations of value (including currencies that are convertible into other virtual currencies);
- services concerning the issue or offer of virtual currencies;
- services concerning the transfer and set-off of virtual currencies;
- any other service that is instrumental to the purchase, trading or intermediation in the exchange of virtual currencies (e.g. execution, reception, transmission of orders related to virtual currencies on behalf of third parties, placement of virtual currencies, advice on virtual currencies);
- custodian wallet services.
The issue of virtual currencies should not trigger in itself the duty to enrol in the VASP Register, unless the issuer performs at the same time one or more services related to virtual currencies and/or custodian wallet services by way of business and on behalf of its customers.
Which data must be reported to the OAM?
VASPs will have to communicate to the OAM, on a quarterly basis, the relevant identification data of each customer (surname and name, place and date of birth, place of residence, tax identification number / VAT number (if any), data of the identification document).
In addition, VASPs will have to transmit the data concerning the transactions of each customer taking into account all services performed by the VASP (i.e. total balance, number and value of fiat-to-crypto or crypto-to-fiat transactions, number of crypto-to-crypto transactions, crypto and fiat inflows / outflows).
What is the way forward?
If one looks at the strict authorization requirements applying to VASPs in other European countries, the VASP Decree is no game changer (luckily for all those prospective VASPs that are seeking to take up their business in Italy… as well as for those already operating here). For sure, the establishment of the VASP Register was a necessary step forward in the completion of the Italian regulatory framework.
However, the VASP Decree will have a significant operational impact in terms of quarterly reporting obligations to the OAM, as the compliance with such obligations could give rise to significant issues from a practical standpoint. Its relevance, as said, should rightly be captured in this perspective. In addition, VASPs registered in the VASP Register will have to establish internal procedures to comply with the Italian AML obligations.
Looking ahead and considering the upcoming EU regulatory reforms (in particular the MiCA Regulation proposal which will relentlessly draw the watershed between “before” and “after”), there might be coordination problems between the Italian rules (including on reporting obligations) and the authorization requirements set forth under the MiCAR (as MiCAR will not necessarily – in spite of its nature – wipe out the current national rules).
The good news is ultimately that, unlike other countries, Italy is not closing its doors to crypto business and is rather willing to establish an open and transparent regulatory environment for the performance of these services to Italian customers.
Francesco Dagnino, Angelo Messore – Lexia Avvocati (www.lexia.it)