* This is Part Two of a two-part series dealing with Pig Butchering and APP scams.
As discussed in Part One of this two-part series the technical note guidance issued by the OAFS places varying levels of responsibility on different types of financial services providers and this includes Virtual Financial Assets Service Providers and Crypto-Asset Service Providers.
VFASPs and CASPs are essentially cryptocurrency service providers – such as crypto exchanges, digital wallet providers, or other platforms dealing in crypto-assets.
In pig butchering schemes, VFASPs and CASPs often come into play when the victim is instructed to convert their money to crypto. For example, a scammer might persuade the victim to open an account on a crypto exchange to buy Bitcoin and then have them transfer the Bitcoin to an external wallet that the scammer controls.
Historically, VFASPs have not been held to the same standard of transaction monitoring as banks. The technical note makes this clear: the VFA Act did not impose PSD2-like requirements on VFASPs to monitor transactions for fraud in the way banks must. Instead, their main obligations were anti-money laundering (AML) duties, such as KYC (know-your-customer) and reporting suspicious activity, under the oversight of Malta’s Financial Intelligence Analysis Unit (FIAU).
The technical note addresses that as of 30 December 2024, the EU’s “Travel Rule” for crypto came into effect[1]. This law requires CASPs to collect and exchange information about the originators and beneficiaries of crypto transfers, especially when transferring to/from unhosted wallets (external wallets not held at an exchange).
In his technical note, the arbiter highlights that with this coming into force, a VFASP’s/CASP’s obligation to have reliable records on the owners of external wallets increases “exponentially” from the end of 2024. In practical terms, VFASPs/CASPs can no longer claim ignorance about where a customer is sending crypto – they are expected to gather at least some information. The technical note explicitly says that arguments like “we have no way of knowing who owns the external wallet” will lose force under the new rules.
While VFASPs might argue that their license doesn’t require transaction monitoring like a bank’s licence does, the Arbiter counters that Article 27(2) of the VFA Act binds them to fiduciary obligations like those of other financial services. This means that they should act in the best interest of their clients insofar as applicable. The technical note acknowledges that VFASPs often lack long-term transaction records for clients (crypto accounts can be new and sparsely used), which makes detecting “out-of-norm” patterns harder.
However, it also argues that even within a short span of activity, there can be clear red flags. If certain payments or transfers stand out as unusual compared to the rest of the customer’s activity, or if they clash with what the VFASP/CASP knows about the customer’s profile (their KYC information, stated source of funds, etc.), the VFASP/CASP has a duty to investigate and have a timely conversation with the client.
If you or anyone you know has fallen victim of such a scam, your right of recourse is through the Office of the Arbiter for Financial Services. The complainant must be a natural person (or his/her successor in title) or micro enterprise. Claims may only be instituted by the complainant against the financial service provider (“FSP”) which the consumer is directly linked to.
The first step that the claimant should take is to file a complaint with their FSP. This gives the opportunity for the FSP to investigate the complaint first. Should the FSP fail to remedy the situation, only then can one file a formal complaint with the OAFS.
Failure by the FSP arises if (i) The complainant sent a letter of complaint to the FSP but did not recieve a satisfactory reply (ii) The complainant sent a letter of complaint to the FSP, which letter has not been acknowledged within 15 working days; or (iii) the FSP offered a settlement which was rejected by the complainant.
As soon as the complaint is accepted and being considered by the OAFS, the FSP should continue to deal with the complainant as usual, such as handling their accounts and affairs, as the case may be.
The FSP is free to revise any earlier offer made or even propose a new offer if it thinks that it would lead to an amicable resolution of the dispute. At the same time, the OAFS should be informed of any material developments relating to the complaint, including any revisions to already existing settlement offers, or any new offers made by the FSP to the complainant.
Complaints will not be accepted by the OAFS if a period of two years lapse from the day on which the complainant first had knowledge of they matters they felt aggrieved by.
Decisions of the Arbiter are legally binding upon all parties to the proceedings. However, they are subject to appeal by either party in front of the Court of Appeal (Inferior Jurisdiction)
If no appeal is made within twenty days from the date when the decision of the arbiter was notified to the parties, the Arbiter’s decision becomes res judicata and cannot be appealed.
A decision by the Court of Appeal as well as the Arbiter’s decision (if appeal terms has elapsed) constitute an executive title.
For information or assistance, please contact us at info@gtg.com.mt
Author: Dr Delilah Vella
[1] Regulation (EU) 2023/1113 of the European Parliament and of the Council of 31 May 2023 on information accompanying transfers of funds and certain crypto-assets and amending Directive (EU) 2015/849 (Text with EEA relevance)