The amendment to Article 6 of the Money Laundering Control Act was passed on July 31, 2024. According to Article 31 of the Act, the Executive Yuan announced that the amendment would take effect on November 30. Under the amended provisions, if businesses or individuals providing virtual asset services have not completed anti-money laundering registration with the FSC, they are prohibited from offering such services. Additionally, foreign entities or individuals who provide virtual asset services have not registered a company or branch in accordance with the Company Act and have not completed anti-money laundering registration shall not provide virtual asset services within the territory of Taiwan. Violators may be subject to criminal liability, including imprisonment for a term of not more than two years, detention, a fine not more thanNT$5 million, or a combination thereof. If a legal entity violates the regulations, both the responsible person and the legal entity may be fined not more than NT$50 million.

To implement the amended provisions, the FSC promulgated the “Regulations Governing Anti-Money Laundering Registration of Enterprises or Persons Providing Virtual Asset Services” (hereinafter referred to as the “Registration Regulations”) on November 26. These regulations, comprising a total of 31 articles, provide specific guidelines for the registration of virtual asset service providers (VASPs). According to the Registration Regulations, the scope of entities subject to regulation includes exchanges between virtual assets and the New Taiwan Dollar, foreign currencies, or fiat currencies issued by Mainland China, Hong Kong, or Macau (commonly known as fiat-to-crypto transactions), exchanges between virtual assets (commonly known as crypto-to-crypto transactions), transfers, custody, or management of virtual assets, or the provision of related management tools (such as custodial or non-custodial wallet providers), and participation in or provision of financial services related to the issuance or sale of virtual assets (such as issuers and underwriters). The regulations exclude digital forms of New Taiwan Dollar (CBDC), foreign currencies, legal tender issued by Mainland China, Hong Kong, or Macau, securities, and other financial assets issued in accordance with laws and regulations.

With respect to registration requirements and procedures, the Registration Regulations set out negative qualification criteria for VASP companies, limited partnerships, business responsible persons, or beneficial owners (Article 4), required application forms and eligible applicants (Article 5), business commencement deadlines and the obligation to join the Taiwan Virtual Asset Service Provider Association (Article 6), circumstances under which registration may be refused by the competent authority (Article 7), circumstances under which the registration may be voided or revoked after registration. (Article 8), and the requirement that VASP operators must apply for and obtain approval in advance for changes to specific matters (Article 9). When applying for anti-money laundering registration, VASPs must submit a service provider information form and establish internal anti-money laundering control and internal audit systems ("internal control systems"), a list of beneficial owners, an internal control checklist reviewed by a certified public accountant (CPA) with CPA-issued review opinion, thereby enhancing VASPs’ implementation of internal control systems and anti-money laundering practices.

In terms of the management of VASPs (including virtual asset service providers, exchangers, trading platforms, transferors, custodians, and underwriters), the Registration Regulations require that VASPs comply with applicable laws, articles of incorporation, internal control systems, and self-regulatory rules set by Taiwan Virtual Asset Service Provider Association (TVASPA) (Article 10). When receiving fiat currency from customers, such money must be deposited into designated accounts opened with financial institutions and either place in trust customers’ deposited fiat currency into trust deeds or obtain a full performance guarantee from banks (Article 11). A business continuity policy and procedures must be established, an information security management system must be implemented, and adequate and qualified information security personnel must be appointed. (Article 12). Procedures for handling customer complaints must be in place, ensuring fair and prompt resolution of disputes (Article 13). Material information must be announced and disclosed (Article 14), and records of services provided to customers must be retained for future inspection (Article 15). The virtual assets offered for exchange, the pricing method, and the exchange quantity, including hyperlinks to the whitepapers of the virtual assets, must be publicly disclosed (Article 16). Rules governing the exchange of virtual assets must be established and disclosed and must be incorporated into internal control systems (Article 17). Review standards and procedures for admitting and removing for virtual assets from trading must be formulated and incorporated into internal control systems (Article 19). Trading rules for virtual assets must be established, disclosed, and incorporated in internal control systems (Article 20). Mechanisms for preventing unfair market trading and detecting abnormal price or volume fluctuations must be implemented and integrated into internal control systems (Article 21). Virtual asset transferors must establish and disclose rules governing the transfer of virtual assets and incorporate them into internal control systems (Article 22). Assets held in custody for customers must be segregated from proprietary assets. (Article 23). The transfer of ownership of customer virtual assets to custodians must not be permitted, and such assets must be kept in segregated custody from the custodian’s proprietary virtual assets; co-mingling in custody must be prohibited (Article 24). Customer assets must not be used except under customer instructions, for offsetting customer expenses and debts, or for other causes permitted by the competent authority (Article 25). Custody policies and procedures for customer assets must be adopted, publicly announced, and included in internal control systems (Article 26). Customer assets held in custody must be faithfully recorded, including the names of individual customers, wallet addresses, and inbound and outbound transfers, and such records must be retained for inspection. A certified public accountant must be appointed at least once a year to issue and publicly disclose a report on customer assets held in custody. (Article 27). The disclosure for virtual asset underwriting must be specified, and the matters required to be publicly announced shall be disclosed accordingly. (Article 28). Underwriting rules for virtual assets must be established and publicly announced, and the related review standards and procedures must be incorporated into internal control systems (Article 29).

In addition, to avoid disruption to existing VASPs during the new law’s implementation, the Registration Regulations include transitional provisions. Prior to the implementation of the Money Laundering Control Act and the Registration Regulations, operators or individuals engaging in virtual asset-related businesses who had submitted an anti-money laundering compliance statement pursuant to Article 17 of the Regulations Governing Anti-Money Laundering and Countering the Financing of Terrorism for Enterprises Handling Virtual Currency Platform or Transaction (a total of 26 entities by November 27) must submit anti-money laundering registration with the FSC no later than March 31, 2025. Also, they must finalize and complete the registration by September 30, 2025. Those who fail to do so will not be permitted to continue operating (Article 30).

As part of Taiwan’s alignment with the FATF’s “Updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers” issued in October 2021, the implementation of the new regulations is expected to provide concrete evidence of Taiwan’s supervision of VASPs during future APG mutual evaluations and to present the country’s anti-money laundering efforts.

Following the amendment to the Money Laundering Control Act and the promulgation of the Registration Regulations, the VASP sector has become a licensed industry. VASPs who have not completed anti-money laundering registration with the FSC are prohibited from engaging in such business operations and may otherwise face severe criminal liability. As the Registration Regulations apply not only to legal entities but also to individuals, both large-scale virtual asset exchangers and small-scale individual crypto merchants are required to comply with the registration requirements. Registration Regulations require that VASPs abide by the following: establishment of internal control systems, information security mechanisms, anti-money laundering measures, and appropriate organizational structures. This is expected to increase the compliance burden on VASPs and gradually lead to the exit of operators that fail to meet the standards. (For example, on November 29 Binance removed the information related to all domestic C2C crypto merchants who had not completed anti-money laundering registration.) As the Registration Regulations have taken effect, the impact on Taiwan’s VASP industry remains to be seen and should be continuously monitored.

TDCC’s currently established “Anti-Money Laundering and Countering the Financing of Terrorism Query System” (AML/CFT) and “Company Transparency Platform” (CTP) have also been aligned with the implementation of the amended provisions of the Money Laundering Control Act. In conjunction with the implementation, a comprehensive review was conducted to verify whether VASPs applying to use the aforementioned systems had completed anti-money laundering registration. Access was suspended for VASPs that had not completed registration in order to ensure full regulatory compliance across the industry.