Customer Due Diligence for Cryptocurrency Companies: Data Protection and Anti-Money Laundering Law in Slovenia Prohibit the “Standard Approach”

Customer Due Diligence for Cryptocurrency Companies: Data Protection and Anti-Money Laundering Law in Slovenia Prohibit the “Standard Approach”

Slovenia
Tools
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

With the tremendous increase in the price of cryptocurrencies in 2017 the world has witnessed an explosion of cryptocurrency-related enterprises, with initial coin offerings at the forefront. Several European countries have aligned their legislation to become appealing for such enterprises and Slovenia has been mentioned on several occasions as one of the most “crypto-friendly” countries. However, as Slovenian legislation offers a very high level of protection to personal data regarding identity documents, crypto business ventures within the Slovenian jurisdiction may be at a disadvantage against foreign competitors.

The standard approach to conducting the identification and verification process of a customer by cryptocurrency-related enterprises worldwide involves requesting a copy of a photo identity document, utility bills, and a recent photograph of the customer, in combination with other relevant data provided by the customer, followed by a subsequent review and verification of the data. The complete process is commonly performed online, without the need for the customer’s actual presence, allowing him or her to provide the data from a remote location. 

Until recently, Slovenian law contained a universal prohibition on storing digital copies of identity cards and passports. While the 2016 Prevention of Money Laundering and Terrorist Financing Act (ZPPDFT-1) – which implemented the 4th AML Directive (EU) 2015/849 (the “Directive”) – provided some exceptions for banks and financial institutions, the ZPPDFT-1 still prohibits the majority of persons  from storing digital copies of identity documents. This norms are peremptory, and even the customer’s consent does not render digital storage of identity documents legally valid.

Article 13 of the Directive requires that identification and verification of the customer be made on the basis of documents, data, or information obtained from a reliable and independent source. However, the Slovenian legislator has opted for a stricter approach and requires that identity documents be examined in the customer’s presence as the primary method of conducting due diligence measures. 

Pursuant to Article 4 of ZPPDFT-1, legal entities and natural persons “issuing and managing virtual currencies” are obliged to perform customer due diligence. Consequently, companies whose operations are related to cryptocurrencies have a statutory obligation to conduct due diligence upon establishing a business relationship with a customer. Apart from two very narrow exceptions involving means of electronic identification issued by the Republic of Slovenia or another Member State and video-based electronic identification, the due diligence and verification process must be done in-person.

Any enterprise dealing with cryptocurrency within Slovenian jurisdiction must therefore invite its customer to the enterprise’s premises and conduct an examination of the customer’s identity document in the customer’s presence to verify the customer’s identity prior to doing business with him/her if none of the relevant exceptions apply. As such enterprises usually address their products or services to customers worldwide, they are at a huge comparative disadvantage, because they have to comply with stricter regulations than their counterparts elsewhere. It is practically impossible to effectively conduct in-person customer verification with customers in remote jurisdictions, especially because performance by third parties is limited under ZPPDFT-1 and does not absolve the obliged person from the act’s requirements. 

Slovenia has seen several successful cryptocurrency-related enterprises begin their operations during the previous year. Almost exclusively, they conducted the identification and verification process through the “standard approach – that is, by gathering digital copies of identity documents. As this is now prohibited by Slovenian law, they have thus exposed themselves to fines by the competent regulatory authorities, as they are in breach of provisions regarding both due diligence measures and identity document storage. 

If Slovenia wants to fulfill its promise of becoming a “crypto-friendly” country, it has to reconsider its provisions regarding customer due diligence and storage of copies of identity documents to align itself with global standards and allow Slovenian enterprises and foreign enterprises operating in Slovenia to satisfy the national data protection and anti-money laundering provisions with at least the level of ease of enterprises operating outside of Slovenia. The simplest way would be by expanding the exception to the prohibition of storage of identity documents to a larger number of enterprises and amending the relevant provisions concerning customer due diligence to allow the possibility of remote identification through the “standard approach.”  

By Uros Cop, Managing Partner, Zan Klobasa, Legal Clerk, Law Firm Miro Senica & attorneys  

This Article was originally published in Issue 5.5 of the CEE Legal Matters Magazine. If you would like to receive a hard copy of the magazine, you can subscribe here.