What is a Virtual Asset Service Provider (VASP)?
The digital age is getting more interesting as tons of things we interact with on a daily basis are digital in form, even currency. Virtual currencies are also undeniably becoming extra popular now. Nonetheless, engaging with such isn’t as easy as a snap of a finger, as there are lots of things we have to know first for certainty and security.
The Bangko Sentral ng Pilipinas (BSP), under BSP Circular No. 1108 series of 2021, published new rules regulating Virtual Asset Services Providers (VASPs) that offer their services or engage in VASP activities in the Philippines. The guidelines cover the registration and the granting of a license of VASP. But what is a VASP, though?
What is a Virtual Currency (VC)?
To understand what VASP is, we must first familiarize ourselves with a virtual currency. A virtual currency (VC) is a type of digital currency created by a community of online users, is stored in electronic wallets (e-wallets), and is transacted online. It is not issued or guaranteed by central banks or government authorities.
Further, VCs may be transferred within the community of users. It may also be used to buy virtual items in games or apps or even real goods from online shops and merchants who accept VC as payment. Hence, VCs are used as a medium of exchange.
On the other hand, VC is also distinct from fiat currency or real currency – the coins and paper money issued by the country’s central bank, designated and circulated as legal tender in the country; and used and accepted as a medium of exchange in the country. Fiat currency is fully backed by the government of a country and is accepted as payment for public and private debts.
The BSP has decided to refer to virtual currencies as defined under Circular No. 944 dated February 6, 2017, as Virtual Assets (VAs), recognizing the evolving nature of this financial innovation. In addition, the central bank has also adopted the definition upheld by the Financial Action Task Force (FATF) in referring to cryptocurrencies and other digital assets providing such technology.
Is VC different from Cryptocurrency?
VC is a general term that covers different types depending on the business model. The BSP identified the various types as follows:
• Centralized – one entity/individual issues the VC)
• Decentralized – no central repository or administrator but several entities/individuals maintain the VC
• Convertible – the VCs can be exchanged to fiat currency and vice versa)
Therefore, cryptocurrency is among the types of VC. Cryptocurrency uses cryptography, a method of storing and transmitting data in unreadable form so that only the intended receivers can read and process it. This allows cryptocurrency transactions to be carried out in a decentralized manner by a group of users.
Meanwhile, the BSP also recognizes opportunities and risks in the use of cryptocurrencies. The BSP’s recent policy amendments have focused on improving its regulatory and supervisory response to money service business activities harnessing the technology of virtual currencies (VCs).
How do VCs differ from VAs?
VCs and other crypto assets are now generally called Virtual Assets (VAs). As mentioned, VCs refer to any type of digital unit used as a medium of exchange or form of digitally stored value created by agreement within the community of VC users.
VA, however, expands on the definition of VC by highlighting the use of such a digital unit beyond the typical functions of a currency. So, VAs refer to any type of digital unit that can be digitally traded or transferred and can be used for payment or investment purposes.
The BSP noted that similar to VCs, VAs are not issued nor guaranteed by any jurisdictions and do not have legal tender status. Therefore, the BSP does not endorse VAs as legal tender, store of value, or investment vehicle.
Meanwhile, the digital units of exchange that are used for the following are not considered VAs in the context of the BSP’s guidelines:
(a) the payment of goods and services solely provided by its issuer or a limited set of merchants specified by its issuer (like gift checks) or;
(b) the payment of virtual goods and services within an online game (like gaming tokens)
As per the BSP, this guarantees that activities relating to VASP are executed within an unbroken chain of regulated entities.
In recent news, BSP does not consider the popular play-to-earn NFT game, Axie Infinity, as a VASP. Instead, the central bank considers classifying the game as an Operator of Payment System (OPS) like GCash, PayMaya, and other banks.
Virtual Asset Service Provider (VASP)
Formerly known as Virtual Currency Exchanges (VCEs), Virtual Asset Provider (VASP) refers to any entity that offers services or engages in activities that provide a facility for the transfer or exchange of virtual assets. BSP Circular No. 1108 expands the scope of activities to be regulated as VASPs, which include businesses that perform:
(a) Exchange between VAs and fiat currencies;
(b) Exchange between one or more forms of VAs;
(c) Transfer of VAs; and
(d) Safekeeping and/or administration of VAs or instruments enabling control over VAs.
The VASP’s products and services include virtual assets/currencies (such as Bitcoin, Ethereum, Ripple, etc.) and e-wallets.
VASPs are expected to comply with the requirements of BSP Circular No. 808 on Information Technology Risk Management and BSP Circular No. 982 that covers the Enhanced Guidelines on Information Security Management for BSP-Supervised Financial Institutions (BSFIs).
Furthermore, as per the BSP, VASPs providing wallet services for holding and storing VAs must establish an adequate cybersecurity framework and adopt appropriate security controls in their VA platform.
These security measures ensure “confidentiality, integrity and availability” of data/information uploaded, stored, processed, and transmitted into and out of the system and protect the infrastructure from malware, cyber-attacks, and other evolving and emerging threats.
However, to address the clients’ complaints and concerns, VASPs are also required to set up customer awareness measures to educate its customers: which includes, among others:
(a) safeguarding of VA and/or fiat currency wallets as well as protection of client information such as log-in credentials;
(b) use of the mobile platform and wallets
(c) actual fees and charges related to the use of the mobile platform and withdrawal transactions
(d) problem resolution procedures
The BSP remarked that VASPs shall clearly articulate and explain to their customers the terms and conditions prescribing the manner on how the losses and liabilities from security breaches, system failure, or human error will be settled between the VASP and its customers.
VASP’s Travel Rule Requirements
The travel rule on VASPs aids in the prevention of money laundering and other financial crimes by keeping an information trail about individuals that send and receive funds.
VASPs and other supervised entities must obtain and hold originator and beneficiary information for VA transfers amounting to PHP 50,000 or more (or its equivalent in foreign currency) and transmit such information to the receiving institution.
The required information includes the following:
a. Originator’s name (i.e., the sending customer);
b. Originator’s account number used to process the transaction (e.g., the VA wallet);
c. Any of the following: originator’s address, national identity number, customer identification number that uniquely identifies the originator to the ordering institution, or date and place of birth;
d. Beneficiary’s name; and
e. Beneficiary account number where such an account is used to process the transaction (e.g., the VA wallet)
Nevertheless, the BSP does not prescribe a specific technology for the obtaining and sending of originator information as well as the obtaining and holding of beneficiary information between VASPs.
With that said, VASPs and other obliged entities in VA transfers may use existing commercially viable technology or harness new technologies to comply with the requirement.
Issuance of Certificate of Authority
A VASP shall secure a Certificate of Authority (COA) to operate as a Money Service Business (MSB). A VASP shall also adhere to the registration procedures and submit the Application for Registration and Notarized Deeds of Undertaking to the BSP through the appropriate supervising department of the central bank.
Besides, the VASP shall comply with pertinent BSP rules and regulations on Outsourcing, Liquidity Risk Management, Operational Risk Management, IT Risk Management, including the area of IT Outsourcing/Vendor Management Program, Business Continuity Management, Internal Control, Financial, Anti-Money Laundering, Financial Consumer Protection, and sound corporate governance principles, among others.
VASPs shall have a minimum paid-in capital as follows:
• VASP with safekeeping and/or administration services for VAs – PHP 50 million
• VASP without safekeeping and/or administration services for VAs – PHP 10 million
To know more about the registration process, head over to this link.
BSP’s Reminders to the Public
The BSP urges clients or users to be aware of the risks involved in transacting or engaging in the use of VA. As such, they should take full responsibility for their virtual/electronic wallets, VAs, and transactions with VASPs.
And if they have encountered any issues with VASPs, they should first directly communicate with the VASP through their hotlines, emails, or available contact information to raise any concerns about using their products and services.
Otherwise, they may raise their concerns to the BSP. According to the central bank, any issues received from the public will be duly attended to and communicated to the erring VASP. So reported complaints should be closely monitored with the VASP until full resolution.
The BSP also reminds the public to deal only with duly authorized VASPs, as regulated under Circular No. 1108 dated January 21, 2021.
Here’s the most updated list of BSP-registered VASPs as of July 31, 2021:
Due to volatility, investing in VAs presents immense risks, which might result in financial loss. So we must keep in mind that it’s always best to be mindful of the risks. Also, to minimize the risk of fraud or being scammed, it is highly recommended that we deal only with duly authorized VASPs.