Разработка compliance-системы для VASP
VASP (Virtual Asset Service Provider) — термин FATF для компаний, предоставляющих услуги с виртуальными активами: обмен, передача, хранение, управление. Compliance система для VASP должна покрывать полный набор FATF рекомендаций плюс требования конкретной юрисдикции лицензирования.
FATF Рекомендации для VASP
FATF Recommendation 15 (R15) требует от VASP:
- Регистрации или лицензирования в юрисдикции деятельности
- AML/CFT программы (R10-21)
- Travel Rule compliance (R16)
- Sanctions screening
- Reporting suspicious transactions
Для технической системы это означает набор связанных модулей:
Customer Risk Assessment
Каждый клиент получает risk score при onboarding и переоценивается периодически:
class VASPCustomerRiskEngine {
async assessCustomer(customer: CustomerProfile): Promise<RiskAssessment> {
const factors = await Promise.all([
this.assessCountryRisk(customer.residenceCountry, customer.nationality),
this.assessProductRisk(customer.expectedProducts),
this.assessVolumeRisk(customer.expectedMonthlyVolume),
this.checkPEPStatus(customer),
this.checkSanctionsStatus(customer),
this.assessCustomerType(customer.type), // individual vs corporate
]);
// Weighted aggregation
const weights = { country: 0.3, product: 0.15, volume: 0.2, pep: 0.2, sanctions: 0.15 };
const weightedScore = factors.reduce((sum, f, i) =>
sum + f.score * Object.values(weights)[i], 0
);
const riskLevel: RiskLevel =
factors.find(f => f.score === 100)?.forceHigh ? RiskLevel.HIGH :
weightedScore >= 70 ? RiskLevel.HIGH :
weightedScore >= 40 ? RiskLevel.MEDIUM :
RiskLevel.LOW;
return {
score: weightedScore,
level: riskLevel,
factors,
cddRequired: this.determineCDDLevel(riskLevel),
reviewFrequency: this.getReviewFrequency(riskLevel), // LOW: 3yr, MED: 1yr, HIGH: 6mo
nextReviewDate: this.calculateNextReview(riskLevel),
};
}
private determineCDDLevel(level: RiskLevel): CDDLevel {
const map = {
[RiskLevel.LOW]: CDDLevel.SIMPLIFIED,
[RiskLevel.MEDIUM]: CDDLevel.STANDARD,
[RiskLevel.HIGH]: CDDLevel.ENHANCED,
};
return map[level];
}
}
Transaction Monitoring Rules Engine
Правила мониторинга транзакций специфичны для VASP (отличаются от банковских):
const VASP_TM_RULES: MonitoringRule[] = [
{
id: "VASP-001",
name: "High Value Transaction",
condition: (tx) => tx.usdAmount >= 10000,
alertLevel: AlertLevel.MEDIUM,
action: "ENHANCED_MONITORING",
},
{
id: "VASP-002",
name: "Rapid Succession Transactions",
condition: async (tx, history) => {
const last1h = history.filter(h => Date.now() - h.timestamp < 3600000);
return last1h.length >= 5 && last1h.reduce((s, h) => s + h.usdAmount, 0) >= 5000;
},
alertLevel: AlertLevel.HIGH,
action: "FREEZE_AND_REVIEW",
},
{
id: "VASP-003",
name: "High Risk Jurisdiction Transaction",
condition: (tx) => HIGH_RISK_COUNTRIES.includes(tx.counterpartyCountry),
alertLevel: AlertLevel.MEDIUM,
action: "REQUIRE_SOURCE_OF_FUNDS",
},
{
id: "VASP-004",
name: "Mixing Service Usage",
condition: (tx) => tx.amlCategory === "mixing" || tx.amlCategory === "tumbling",
alertLevel: AlertLevel.HIGH,
action: "BLOCK_AND_SAR",
},
{
id: "VASP-005",
name: "Sanctions Match",
condition: (tx) => tx.sanctionsMatch === true,
alertLevel: AlertLevel.CRITICAL,
action: "FREEZE_AND_REPORT_IMMEDIATELY",
},
];
Record Keeping (FATF R11)
FATF требует хранить records 5+ лет. Система должна обеспечить:
interface VASPRecord {
customerId: string;
recordType: "KYC" | "TRANSACTION" | "CORRESPONDENCE" | "SAR" | "RISK_ASSESSMENT";
createdAt: Date;
retentionUntil: Date; // createdAt + 5 лет (или дольше по юрисдикции)
content: encrypted_blob;
checksum: string; // integrity verification
accessLog: AccessLogEntry[];
}
class RecordKeepingService {
async storeRecord(data: any, type: RecordType, customerId: string): Promise<string> {
const encrypted = await this.encrypt(JSON.stringify(data));
const checksum = crypto.createHash("sha256").update(encrypted).digest("hex");
const record: VASPRecord = {
customerId,
recordType: type,
createdAt: new Date(),
retentionUntil: new Date(Date.now() + 5 * 365 * 24 * 60 * 60 * 1000),
content: encrypted,
checksum,
accessLog: [],
};
await this.db.saveRecord(record);
return checksum;
}
// Проверка integrity при retrieval
async retrieveRecord(recordId: string): Promise<any> {
const record = await this.db.getRecord(recordId);
const computedChecksum = crypto
.createHash("sha256")
.update(record.content)
.digest("hex");
if (computedChecksum !== record.checksum) {
throw new Error("Record integrity compromised");
}
await this.db.logAccess(recordId, "READ");
return JSON.parse(await this.decrypt(record.content));
}
}
Travel Rule модуль
FATF R16 требует передавать information об отправителе и получателе для переводов выше $1,000/$3,000. Детальная реализация через Notabene или Sygna (отдельные сервисы), здесь — orchestration логика:
async function processVASPTransfer(transfer: OutgoingTransfer): Promise<void> {
const travelRuleRequired = transfer.usdAmount >= TRAVEL_RULE_THRESHOLD;
if (travelRuleRequired) {
// Определяем принимающий VASP
const receivingVASP = await identifyReceivingVASP(transfer.destinationAddress);
if (!receivingVASP) {
// Unhosted wallet — упрощённые требования, но нужна enhanced monitoring
await addEnhancedMonitoring(transfer.userId);
} else {
// Отправляем Travel Rule data через Notabene/Sygna
await travelRuleProvider.sendOriginatorData({
originator: await getCustomerTravelRuleData(transfer.userId),
beneficiary: { vasp: receivingVASP },
transfer: { asset: transfer.asset, amount: transfer.amount, txHash: transfer.txHash },
});
}
}
await executeTransfer(transfer);
}
Compliance Dashboard
Для Compliance Officer — дашборд с:
- Pending KYC reviews (очередь верификации)
- Active alerts и transaction monitoring hits
- SAR queue (черновики + поданные)
- Customer risk reviews due (клиенты для переоценки риска)
- Sanctions list updates
- Regulatory reporting deadlines
| Компонент | Технология |
|---|---|
| Risk engine | Node.js + PostgreSQL |
| TM rules | Configurable rules engine + BullMQ |
| KYC | Sumsub + webhook |
| AML | Chainalysis KYT |
| PEP/Sanctions | ComplyAdvantage |
| Travel Rule | Notabene или Sygna |
| Dashboard | React + admin panel |
Полная VASP compliance система: 3-4 месяца разработки.