Insights on BSP Guidelines for Virtual Asset Service Providers by Atty. Rafael Padilla
In this whitepaper, Atty. Rafael Padilla, Co-Founder and Trustee of BlockDevs Asia and Professor of Law at San Beda Alabang, examines the updated guidelines for virtual asset service providers released by the Bangko Sentral ng Pilipinas. Rafael recently published the book Fintech: Law and First Principles. You can download the whitepaper here or read it below:
Insights on BSP Guidelines for Virtual Asset Service Providers
Professor of Law, San Beda Alabang School of Law
Co-Founder & Trustee, BlockDevs Asia Inc.
Author, Fintech: Law & First Principles
11 February 2021
The Monetary Board of the Bangko Sentral ng Pilipinas (BSP), in its Resolution No. 78 dated 21 January 2021, approved the new rules and regulations that will govern the operations of Virtual Asset Service Providers (VASPs) within the Philippines. BSP Circular No. 1108, Series of 2021 established the new Guidelines for Virtual Asset Servicer Providers.
At the outset, it must be noted that the rules and regulations, as well as circulars issued by administrative bodies to interpret the laws which they are entrusted to administer have the force of law, and are entitled to great respect. Administrative issuances partake of the nature of a statute and have in their favor a presumption of legality.
BSP Circular No. 1108
Following the rise in the use of bitcoin and other cryptocurrencies for payments and remittances in the Philippines, the BSP established in January 2017 a formal regulatory framework for what it refers to as “Virtual Currency Exchange” or VCE under BSP Circular No. 944. The framework is aligned with the BSP’s policy to provide an environment that encourages financial innovation while safeguarding the integrity and stability of the financial system. Under the Guidelines for Virtual Currency Exchanges, VCEs are defined as companies or businesses engaged in converting virtual currencies s into fiat currency and vice versa to facilitate payments and remittances.
In BSP Circular No. 944, the BSP’s regulation of VCEs used to be restricted only to businesses that convert fiat currencies to crypto and vice versa to facilitate payments and remittance transactions. In other words, the BSP aims to regulate cryptocurrencies when used for delivery of financial services, particularly for payments and remittances, which have material impact on anti-money laundering (AML) and combating the financing of terrorism (CFT), consumer protection and financial stability. The BSP also clarified that operators of Automated Teller Machines (ATM) for Virtual Currencies that allow purchase or exchange of Virtual Currencies (VCs) or other devices with similar functionality and capability, are considered as Virtual Currency Exchanges (VCEs) and should register with the BSP. According to the BSP, “as registered VCEs, they should comply with anti-money laundering/terrorist financing laws and regulations, ensure sufficient and appropriate controls and governance framework are adopted to manage the associated technology and other operational risks, and put in place adequate consumer protection and customer support, among others.”
Since 2020, the BSP started to adopt the terminologies (e.g., VA and VASP) employed by the Financial Action Task Force (FATF) in referencing cryptocurrency activities. The BSP is constantly evolving its regulatory framework for new types of cryptocurrency-based financial intermediaries, consistent with the guidance prescribed by the FATF for Virtual Assets (VA)and Virtual Asset Service Providers (VASP).
BSP Circular No. 1108 expanded the regulatory framework to cover other Virtual Asset Service Providers when their activities fall within the broad category of money service business (MSB). According to the BSP, “virtual-asset (VA) systems have the potential to revolutionize the delivery of financial services by providing faster and more economical means to transfer funds, both domestic and international, and may further support financial inclusion.” However, it is important for the BSP that VAs are not abused and that the Philippines is not used for money laundering and terrorist financing activities. The regulation also seeks to mitigate technology risks and financial stability concerns associated with VA, as well as strengthen consumer protection.
VASP as Money Service Business
BSP’s new guidelines embodied in Circular No. 1108 requires certain VASPs to register with the BSP and secure a Certificate of Authority to operate as MSB. A Money Service Business or MSB is an entity that provides financial services that involve “the acceptance of cash, checks, other monetary instrument or other stores of value and the payment of a corresponding sum in cash or other form to a beneficiary by means of a communication, message, transfer or through a clearing network to which the service provider belongs.”
The Monetary Board has the power to authorize entities to engage in MSB. The BSP’s supervisory authority over MSB has been reaffirmed in Section 3 of the New Central Bank Act, as amended by R.A. No. 11211 in 2019. Section 3 provides that as may be determined by the Monetary Board, the BSP exercises regulatory and examination powers over MSB. Incidentally, the registration of a VASP with the BSP also triggers the requirement to register with the Anti Money Laundering Council(AMLC) as MSB, thus making the registered VASP a “Covered Person” within the context of Philippine Anti-Money Laundering (AML) law and regulation.
BSP regards certain VASPs as money service business under the theory that once fiat currency is exchanged or converted into a virtual asset, it becomes easily transferrable, facilitating expedient movement or transfer of funds and payment service. However, it should be emphasized that the BSP does not necessarily regulate all kinds of digital asset business activities or all types of Virtual Asset Service Providers (VASP) as this term is defined by the Financial Action Task Force’s Guidance for Virtual Assets and VASPs. To be covered by the BSP’s regulatory regime, the VASP should fall within the definition of MSB (i.e., the activity within the regulatory ambit of the BSP) and be engaged in the conduct of one or more of the following activities:
- exchange between VAs and fiat currencies;
- exchange between one or more forms of VAs;
- transfer of VAs; and
- safekeeping and/or administration of VAs or instruments enabling control over VAs.
Indeed, the BSP Guidelines for VASPs specifically excludes VASP who are involved in the participation and provision of financial services related to an issuer’s offer or sale of a VA. Such activity correctly falls within the regulatory perimeter of the Securities and Exchange Commission (SEC). BSP’s regulation also does not apply to entities solely acting on their own behalf, or those who do not act, as a business, on behalf of customers to facilitate virtual asset-related activities.
In accordance with the FATF Guidance for VAs and VASPs, there are two key elements to qualify as a VASP: (1) there is a provider that actively facilitates VA-related activities; and (2) the provider acts as a business on behalf of the customers. In assessing whether an entity should be considered as a VASP, the activities and functions performed should be considered—regardless of the technology used. An entity can be a VASP, whether they use a decentralized or centralized platform, smart contract, or some other mechanism. For example, when a decentralized application (dApp) actively facilitates or conducts the exchange or transfer of value (whether in VA or traditional fiat currency), the dApp, its owner/operator(s), or both could potentially fall under the definition of a VASP. Even the individuals who developed a decentralized VA payment system may be treated as a VASP when they engage as a business in actively facilitating or conducting the payments. Whether a platform is centralized or decentralized may be a key aspect in assessing the money laundering and terrorist financing risk; but this question is not a controlling factor in the VASP analysis.
Neither the BSP Guidelines nor the FATF Guidance seek to regulate the technology that underlies VAs. The VASP regime intends to regulate the persons behind such technology or software applications that may use technology or software applications to facilitate financial activity or conduct as a business certain VA activities on behalf of another person. Therefore, as a safe harbor for developers, any person who develops or sells either a software application of a new VA platform should not be considered VASP when solely developing or selling the application or platform. Moreover, those who provide ancillary service or product to a blockchain network, such as hardware wallet manufacturers and non-custodial wallets, should also not be regarded as VASP, as long as they do not actively facilitate as a business the VASP activities for their customers.
With respect to exchange activities, the “exchange” regulated by the BSP refers to intermediaries that actively facilitate the conversion of VA or fiat currency in relation to a money service business. The term “exchange” should not be interpreted to include marketplace or facilities for bringing together purchasers and sellers or for performing functions commonly facilitated by securities exchange, i.e., the trading of VA that are in the nature of security, crypto derivatives and other synthetic VAs that behave like securities; this specific type of VASP and their activity may be covered by the provisions of the Securities Regulation Code administered by the SEC.
With respect to VASPs engaged in the transfer of VAs, the term “transfer” refers to the conduct a transaction on behalf of another person that moves a virtual asset from one virtual asset address or account to another. Therefore, this type of VASP contemplates those who operate as intermediary to actively facilitate the transfer of VA.
Other financial use cases for digital assets that do not involve money service business may be subject to other regulatory or licensing regimes, whether or not they fall within the definition of VASP, which may be administered by the BSP, the SEC, the Insurance Commission or other regulators. Speaking of varied financial use cases, the BSP has acknowledged in BSP Circular No. 982 that cryptocurrencies and distributed ledgers, “if prudently harnessed, can significantly increase market share, improve customer experience, enhance security, and promote financial inclusion.” But BSP prescribes that prior to adopting these emerging technologies, financial institutions should “fully understand the mechanics, implications to consumer protection, money-laundering and overall security posture as well as inherent risks associated with these new technologies.” In cases where applicable regulations or requirements are unclear, BSP-supervised financial institutions should consult with the BSP prior to implementation.
What is a Virtual Asset?
Within the scope of BSP’s regulatory framework —specifically the VASP Guidelines, the concept of “virtual asset” or VA is defined as “any type of digital unit that can be digitally traded, or transferred, and can be used for payment or investment purposes.” BSP also regards VA as “property”, “proceeds”, “funds or other assets” and other “corresponding value”, which can be used as a medium of exchange or a form of digitally stored value—whether issued by a central administrator or by a decentralized network.
BSP Circular No. 1108 excludes from the material scope of its regulation digital units that are used for “payment of goods and services solely provided by its issuer or a limited set of merchants specified by its issuer (e.g. gift checks).” It further excludes digital units for the payment of virtual goods and services within an online game (e.g. gaming tokens). This is consistent with the FATF’s Guidance that also excludes closed-loop items that are non-transferable, non-exchangeable, or non-fungible within the meaning of VA. Such closed-loop items might include airline miles, credit card awards, or similar loyalty program rewards or points, as long as their owner cannot sell them in a secondary market. With respect to non-fungible tokens or NFTs, various NFT-based platforms may not be necessarily considered as VASP, unless they are also engaged in the active facilitation of transactions similarly performed as a business by VASPs.
The term “virtual asset” should also not be construed to include digital representations of fiat currencies that are issued or guaranteed by any jurisdiction and have legal tender status (e.g. Central Bank Digital Currency or CBDC). Fiat currency refers to government-issued currency that is designated as legal tender in its country of issuance through government decree, regulation, or law.
A BSP-registered VASP must comply with BSP’s rules and regulations such as those concerning operational risk management, outsourcing, technology risk management, liquidity risk management, internal control, business continuity management, financial consumer protection, anti-money laundering (AML), and corporate governance. In the course of the application for a Certificate of Authority (COA), the BSP will take into account the fitness and propriety of the beneficial owners of the VASP. VASPs should also comply with the requirements, rules and regulations of the BSP with respect to activities requiring prior BSP approval or notification.
VASPs intending to engage with other VASPs and other financial institutions should transact only with counterparties that are duly authorized and licensed by the appropriate regulatory authorities. As a policy, the BSP prohibits licensed VASPs to clear and settle transactions with unregulated VASPs and platforms. The policy is designed to ensure that all VASP activities are executed within an unbroken chain of regulated entities.
A VASP that creates and maintains fiat wallets to facilitate the conversion or exchange of fiat currency to VA or vice versa are required to maintain sufficient unencumbered liquid assets to ensure that VA redemptions are adequately met at all times. It should also adopt control mechanisms that will ensure prompt recording of receipt of fiat currencies.
Custodians that are responsible for custody of customers’ VAs, whether through proprietary or outsource arrangements, should adopt measures to ensure adequate reserves for the VAs they hold in custody. Said VA Custodians must incorporate effective mechanism to properly record and segregate customers’ VAs from their proprietary VAs.
a. Capital requirement
In terms of capital requirement, VASPs with safekeeping or administration services for VA (e.g. custodians, escrow service and wallet providers) are required to have a minimum paid-in capital of fifty million pesos (PHP50,000,000.00). Other VASPs are required only to have a minimum paid-in capital of ten million pesos (PHP10,000,000.00).
There seems to be some vagueness on whether the general capital requirements for MSBs as found in BSP Circular No. 942 still apply to VASPs—particularly for Type A MSB where average monthly volume of transactions is considered in determining the capital requirement. For example, what if a blockchain-based remittance company, without providing wallet or custodial services, is projected or able to generate a monthly average volume of transactions in the amount of PHP100 million (which exceeds the PHP75 million threshold for Type A remittance agent)? Such company can be considered a VASP engaged in the transfer of VA. Would it only need PHP10 million (in accordance with BSP Circular No. 1108) or would it be required to have a minimum paid-in capital of PHP50 million (in accordance with BSP Circular No. 942)?
b. Technology risk management
VASPs providing wallet services for holding, storing and transferring cryptocurrencies, should have an adequate cybersecurity framework and adopt appropriate security measures and controls to ensure confidentiality, integrity and availability of data/information uploaded, stored, processed and transmitted into and out of the system and to protect the infrastructure from malware, cyber attacks and other emerging threats.
VASPs should also incorporate sound outsourcing mechanisms to manage risks arising from outsourcing, specifically those concerning confidentiality, data privacy, data management, contract management, cybersecurity, performance monitoring and business continuity, among others. In all instances where technology is outsourced, say to a cloud service provider (CSP), the VASP remains to be ultimately responsible for the performance of the financial service in the same manner and to the same extent as if the VASP was directly performing said activity.
c. Internal control and corporate governance
VASPs are required by the BSP to maintain and internal control system commensurate to the nature, size and complexity of their respective businesses. VASPs are also expected to adhere to BSP’s minimum control standards that a VASP should observe in their operations.
Critical control functions such as audit, compliance, AML, information security and other essential roles must be performed by competent officers. The VASP’s board of directors and management must be fit and proper which should be assessed based on sound corporate governance procedures.
d. Financial consumer protection
A BSP-registered VASP is expected to adopt customer awareness measures to educate its customers on the use and safeguarding of their virtual asset wallets as well as log-in credentials, use of mobile platforms and wallets, actual fees and charges related to the use of mobile platform and withdrawal transactions, and dispute resolution procedures.
In accordance with BSP’s financial consumer protection regulations, a VASP should disclose the actual fees and charges that apply to the use of the platform and withdrawal transactions. They should also put in place dispute resolution procedures, as well as adopt a system for promptly addressing the complaints of its customers.
VASPs should clearly communicate to its customers the terms and conditions prescribing the manner on how the losses and liabilities from security breaches, system failure or human error will be settled between the VASP and its customers.
Before transacting with a client and on a continuing basis, a VASP should disclose all material risks in a manner that is clear, fair and not misleading. Such disclosure must include information regarding the risks associated with the acquisition, possession, and trading of virtual assets. VASPs should also disclose whether they are holding virtual assets in custody and the risks associated with such custodial arrangement, or whether the customers have full control and responsibility of protecting and safeguarding their VAs.
e. Due diligence
A VASP must conduct due diligence (CDD), observing KYC/CDD rules and industry best practices—especially when it establishes business relations with any customer, undertakes any occasional business transactions with a customer, where there is suspicion of money laundering or terrorist financing, or where there is doubt on the authenticity or adequacy of the customer’s identification data.
BSP-licensed VASPs must also establish robust due diligence and accreditation procedures in selecting the VAs that will be listed or traded in their platform (e.g. by formulating a token listing/delisting policy). In addition, VASPs should adopt a fraud risk management system that is commensurate to the risks associated with particular VA types or specific VA activities (risk-based approach).
f. Special transactions requirements for virtual assets
According to BSP’s VASP Guidelines, VASPs and other BSP Supervised Financial Institutions (BSFI) that engage in or facilitate VA transfers shall consider all VA transfer transactions as cross-border wire transfers and comply with pertinent rules on wire transfers. The policy implications of this rule must be highlighted: first, it treats all VA transfers regardless of origin as if they are international transfers; second, it implies that other BSFIs such as commercial banks can engage in or facilitate actual VA transfers. The latter implication tends to reinforce and implement the FATF’s policy against “derisking” of VA and VASPs, i.e., FATF does not support the wholesale termination or restriction of business relationships with VASPS to avoid, rather than manage, risks.
For large value pay-outs of more than PHP500,000 or its equivalent in foreign currency, in any single transaction with customers or counterparties, enhanced due diligence (EDD) should be conducted and said pay-outs should only be made via check payment or direct credit to deposit accounts or account to account transfer using electronic fund transfer facilities. In this context, the term “pay-out” appears vague and seems to suggest that only the sale of VA is covered by this rule while the purchase of VA exceeding PHP500,000 should not necessarily trigger enhanced due diligence. In any case, VA transactions exceeding PHP500,000 will also trigger the submission of a covered transactions report (CTR) with AMLC.
g. Travel Rule
BSP Circular No. 1108 requires the implementation of the Travel Rule pursuant to FATF’s Guidance for Virtual Assets and Virtual Asset Service Providers. The jargon reflects the essence of the rule, that is, identifying information must “travel” along with the fund transfer. According to this rule, a VASP or “the originating institution” that facilitates a virtual asset transfer amounting to PHP50,000.00 or more, or its equivalent, must obtain and hold required originator information and required beneficiary information, which have been verified for accuracy, and submit said information to beneficiary institutions. For this purpose, the required information that should be collected by a BSP-supervised VASP or originating institution includes:
- originator’s name (i.e., the sending customer);
- originator’s account number where such an account is used to process the transaction (e.g., the VA wallet);
- originator’s physical (geographical) address, or national identity number, or customer identification number (i.e., not a transaction number) that uniquely identifies the originator to the ordering institution, or date and place of birth;
- beneficiary’s name; and
- beneficiary account number where such an account is used to process the transaction (e.g., the VA wallet).
The transmission of the above identifying information should be immediate and secure. VASPs should protect the integrity and availability of the required information to facilitate record-keeping and the use of such information by receiving VASPs or other covered entities, as well as to protect it from unauthorized disclosure. It is an essential requirement of this rule that entities should submit the required information simultaneously or concurrently with the transfer itself.
It should be noted that the Travel Rule has always applied to all banks and non-bank financial institutions (which includes VCEs or VASPs that are classified as MSBs), but the BSP makes it explicit that this rule also applies to VASPs which is consistent with the FATF Guidelines.
h. Reporting and record-keeping requirements
As a BSP supervised financial institution, a VASP is required to periodically submit reports to the BSP. All reporting and notification requirements imposed to MSBs generally apply to VASPs. But there are also reports specifically prescribed for VASPs. These reporting requirements include submission of financial statements audited by a BSP-accredited external auditor, quarterly reporting of volume and value of VA transactions, and quarterly reporting of list of offices and websites.
In practice, VASPs are also expected to comply with additional requests from BSP to submit specific data and information through surveys or questionnaires to assist the BSP in the conduct of in-depth studies and data collection.
Finally, VASPs must ensure that transaction and due diligence records are maintained for a period of at least five (5) years and adhere to other record-keeping guidelines issued by the BSP and AMLC for AML purposes.
Conclusion: prospects on future legal and regulatory developments
As of February 2021, the current version of the Anti-Money Laundering Act (AMLA) does not yet include VASPs within the meaning of the term “Covered Persons” that are required to register with the AMLC.This means that other types of VASPs—whose activities are outside the BSP, the SEC or the Insurance Commission’s supervisory authority under existing laws—cannot be required to register with the AMLC as a Covered Person. An administrative issuance from the AMLC will not suffice to legally compel other types of VASPs to register with the agency and to submit covered or suspicious transaction reports. The AMLA needs to be amended by the Philippine Congress to statutorily incorporate the FATF’s Recommendation on the inclusion of VASPs as a Covered Person for AML/CFT purposes.
Considering the Philippines’ consistent practice of adhering to FATF Recommendations, an amendment of the AMLA to cover VASPs will likely happen in the short to medium term. Such amendment to classify all types of VASPs as “Covered Person” would also establish a statutory policy requiring new crypto-based intermediaries to observe know-your-client, record-keeping, covered transactions and suspicious transactions reporting, as well as the appointment of AML compliance officer.
It can also be expected that other financial regulators such as the SEC and the Insurance Commission could also issue bespoke rules or issuances for VASPs that are engaged in financial activities regulated by these agencies. Such initiative would demonstrate a progressive and innovative approach in regulating new types of financial intermediaries. More importantly, it would make it clear that not all VASPs are within the regulatory perimeter of the BSP, and that the specific activities of a VASP should ultimately determine the appropriate financial service rules that must apply to them.
This article is first published on BitPinas: Insights on BSP Guidelines for Virtual Asset Service Providers by Atty. Rafael Padilla
 As such, courts cannot ignore administrative issuances especially when its validity was not put in issue. Unless the rules and regulations are declared invalid, courts are bound to apply them. Landbank of the Philippines v. Celada, 515 Phil. 467 (2006), cited in Land Transportation Franchising and Regulatory Board v. Valenzuela, G.R. No. 242860 (2019).
 Section 4512N, Manual of Regulations for Non-Bank Financial Institutions (MORNBFI). (2017)
 See BSP Memorandum M-2019-06 (2019).
 BSP Circular No 1108, Guidelines for Virtual Asset Service Providers, See Policy Statement, p. 1 (2021).
 See BSP Circular No. 942 for the amended rules on Money Service Business Operations (2017). See also BSP Circular No. 1039 , which streamlines the requirements for application for registration as MSB (2019). The application process was simplified to conform with the mandates of the Ease of Doing Business and Efficient Government Service Delivery Act (R.A. No. 11032, 2018).
 BSP Guidelines for Virtual Asset Service Providers, p. 3 (2021).
 Sec. 3, New Central Bank Act, as amended by R.A. No. 11211 (2019).
 Section 3. Responsibility and Primary Objective. — The Bangko Sentral shall provide policy directions in the areas of money, banking, and credit. It shall have supervision over the operations of banks and exercise such regulatory and examination powers as provided in this Act and other pertinent laws over the quasi-banking operations of non-bank financial institutions. As may be determined by the Monetary Board, it shall likewise exercise regulatory and examination powers over money service businesses, credit granting businesses, and payment system operators. The Monetary Board is hereby empowered to authorize entities or persons to engage in money service businesses.
 See Policy Statement, BSP Guidelines for Virtual Asset Service Providers, p. 1 (2020).
 Considering the definition of VASP as noted in the succeeding discussions, it will be observed that while a Virtual Currency Exchange (VCE) is a VASP, not all VASPs are VCEs.
 FATF Guidance For Virtual Assets and Virtual Asset Service Providers (2019).
 BSP Guidelines for Virtual Asset Service Providers, p. 3 (2021).
 BSP Guidelines for Virtual Asset Service Providers, p. 2 (2021).
 To easily recall, we refer to these key elements as (1) active facilitator element and (2) business element.
 FATF Guidance For Virtual Assets and Virtual Asset Service Providers, p. 17 (2019).
 FATF Guidance For Virtual Assets and Virtual Asset Service Providers, p. 17 (2019).
 R.A. No. 8799 (2000).
 FATF Guidance For Virtual Assets and Virtual Asset Service Providers, p. 57 (2019).
 Enhanced Guidelines on Information Security Management (Nov 2017); See http://www.bsp.gov.ph/downloads/regulations/attachments/2017/c982.pdf
 BSP Circular 982 (2017).
 See Definition of Terms, Guidelines for Virtual Asset Service Providers, p. 2 (2021).
 FATF Guidance For Virtual Assets and Virtual Asset Service Providers, p. 17 (2019).
 BSP Circular No. 944 (2017).
 See Capitalization, Guidelines for Virtual Asset Service Providers, p. 4 (2021).
 Section 4512N.6, Manual of Regulations for Non-Bank Financial Institutions (MORNBFI). (2017)
 Section 4512N.7, Manual of Regulations for Non-Bank Financial Institutions (MORNBFI). (2017)
 BSP Guidelines for Virtual Asset Service Providers, p. 4-5 (2021).
 BSP Guidelines for Virtual Asset Service Providers, p. 5 (2021).
 BSP Guidelines for Virtual Assets and Virtual Asset Service Providers, p. 6 (2021).
 These policy implications will be examined in-depth in our succeeding papers.
 FATF Guidance For Virtual Assets and Virtual Asset Service Providers, p. 9 (2019).
 BSP Guidelines for Virtual Assets and Virtual Asset Service Providers, p. 7 (2021).
 See for example BSP Circular No. 1022 (2019).
 The reporting of list of offices and websites became semestral under BSP Circular No. 1039 (2019). BSP Circular 1108 reverted to the previous rule of quarterly reporting.
 BSP Guidelines for Virtual Asset Service Providers, p. 8 (2021).