Back to list

Illegal mining farm in Zabaykalye: Business solutions

Незаконная майнинг-ферма Забайкалье: Решения для бизнеса

Compliance Guide for Crypto Business: Legalization of Mining and Crypto-Asset Operations in the RF and EU

About the article: This document is a practical guide for crypto business operators: mining farm owners, crypto exchange and wallet operators, and virtual asset service providers (VASP/CASP).

Target audience: Miners, exchange operators, crypto exchanges, custodial services.

Jurisdictions: Russian Federation (RF) and European Union (EU).

Relevance: Information is current as of Q3 2024.

Disclaimer: This material does not constitute legal or tax advice. A legal opinion from a specialized lawyer must be obtained before implementing any procedures.

Definitions

VASP/CASP (Virtual Asset Service Provider / Crypto-Asset Service Provider):
A provider of services in the field of virtual/crypto-assets. The terms are interchangeable and refer to organizations providing services for the exchange, storage, and transfer of crypto-assets (crypto exchanges, exchangers, custodial wallets).

Miner:
A person (individual or legal entity) using computing power to support the operation and creation of new blocks in cryptocurrency networks (e.g., Bitcoin) and receiving remuneration in the form of cryptocurrency for this.

Custodian (Custodial Service):
An organization that stores the private keys to its clients' crypto-assets, effectively controlling access to those assets.

UBO (Ultimate Beneficial Owner):
The final beneficial owner—an individual who ultimately owns or controls a legal entity.

TC (Technological Connection):
The procedure for connecting power-receiving devices (equipment) to the electrical grids of a grid organization.

Part 1. Regulation in the Russian Federation

1.1. Mining Compliance

Energy Compliance
The main legal risk for miners in the RF is claims related to improper electricity consumption. Using residential tariffs for commercial purposes or unauthorized connection entails administrative and criminal liability.

Legal framework and risks:

Unauthorized connection:
Qualified under Art. 7.19 of the Administrative Code of the RF1 (fine for legal entities up to 200,000 rubles). If damage exceeds 250,000 rubles—under Art. 165 of the Criminal Code of the RF2 (imprisonment for up to 5 years).

Energy-deficient regions:
In the Irkutsk region, Khakassia, and other regions, grid companies and the prosecutor's office actively identify "gray" miners and recover the cost of electricity at commercial rates through court proceedings.

Consumption legalization algorithm:

  1. Business Registration: Register an LLC or individual entrepreneur (IP) to conclude an energy supply contract at a commercial tariff.
  2. Registration of rights to the object: Prepare a lease agreement or ownership certificate for non-residential premises/land plot.
  3. Technological Connection (TC): Apply to the local grid organization (e.g., "Rosseti") for TC or a power increase according to Decree of the Government of the RF No. 8613. (See Appendix 3: Checklist of documents for TC).
  4. Conclusion of an energy supply contract: After fulfilling the technical conditions (TC), conclude a contract with the energy retail company.

Appealing a refusal of TC:
Grid organizations often unreasonably refuse TC, citing "lack of technical capacity."

  1. Claim: Send an official claim to the grid company. Response time—30 days.
  2. Complaint to the FAS: If there is no response or an unreasonable refusal, file a complaint with the Federal Antimonopoly Service. Consideration period—up to 1 month.
  3. Lawsuit: File a lawsuit to compel the conclusion of a contract and recover damages.

Customs compliance when importing equipment

Declaration:
Mining equipment (ASIC miners, video cards) is subject to customs declaration with the indication of EAEU HS codes (e.g., 8471 80 000 0 — "other computing machine units").

Certification:
It is necessary to issue a declaration or certificate of conformity with the requirements of the EAEU technical regulations (TR CU 004/2011 "On the safety of low-voltage equipment" and TR CU 020/2011 "Electromagnetic compatibility of technical means").

FSB Notification risk:
If the equipment contains cryptographic (encryption) modules not intended for public use, an FSB notification may be required. Lack of notification risks administrative liability and confiscation of goods.

1.2. Financial Compliance (AML/CFT)

Operations with digital currency fall under the Federal Law dated 07.08.2001 No. 115-FZ "On Counteracting the Legalization (Laundering) of Proceeds..." (hereinafter — 115-FZ)4.

Violations and liability:

Art. 15.27 of the Administrative Code of the RF:
Fines up to 1 million rubles or suspension of activities for failure to comply with AML/CFT legislation requirements.

Art. 174 and Art. 174.1 of the Criminal Code of the RF:
Criminal liability for the legalization of criminal proceeds.

Subjects of 115-FZ in the crypto sphere:
Direct subjects are DFA operators. Other market participants (mining pools, P2P platforms, custodial wallets) become subjects if their activities in the purchase, sale, exchange, or storage of digital currency are primary and they assume fiduciary obligations to clients.

Example:
A mining pool with a built-in wallet and exchanger is a subject of 115-FZ. A solo miner selling cryptocurrency on an exchange is not (but the exchange is).

Obligations of 115-FZ subjects:

Customer Identification (KYC):
Conduct full identification of customers, their representatives, and UBOs.

Reporting operations:
Notify Rosfinmonitoring of suspicious and mandatory operations within 3 working days via the Personal Account on the agency's portal (in the form of an FES). (See Appendix 2).

Data storage:
Store KYC profiles, reports, and business correspondence for at least 5 years.

1.3. Taxation

Position of the Ministry of Finance of the RF (Letter dated 08.11.2023 No. 03-04-05/106425):
Income from the sale of cryptocurrency is subject to Personal Income Tax (PIT) for individuals and tax under the STS/GTS (Simplified/General Tax Systems) for legal entities and individual entrepreneurs.

Mining:
The tax base is the market value of the mined cryptocurrency at the time it is credited to the wallet.

VAT:
Cryptocurrency sale operations are not subject to VAT.

Calculation example (IP on 15% STS):
0.1 BTC mined (value at the time of receipt — 500,000 rubles). Sold for 600,000 rubles. Costs for electricity and depreciation — 150,000 rubles.
Tax base = 600,000 − 150,000 = 450,000 rubles.
Tax = 450,000 * 0.15 = 67,500 rubles.

1.4. Interaction with the FTS and Banks

Banking control:
Banks, guided by 115-FZ, monitor operations related to cryptocurrency. When large sums from the sale of crypto-assets are credited, the bank has the right to request documents confirming the economic sense of the operation and the source of funds.

Risks:
Account blocking (suspension of operations) if documents are not provided or if explanations seem unconvincing to the bank.

Algorithm of actions upon bank request:

  1. Receive an official request from the bank.
  2. Prepare a package of documents: tax declarations, purchase and sale agreements (if any), transaction screenshots, reports from AML services, an explanatory letter.
  3. Provide documents to the bank within the established timeframe (usually 3–5 working days).

Part 2. Regulation in the European Union

The Markets in Crypto-Assets (MiCA, Regulation (EU) 2023/1114) regulation establishes uniform rules for crypto-asset service providers — CASP (Crypto-Asset Service Providers).

2.1. Key MiCA Requirements

CASP Authorization:
To operate in the EU, it is necessary to obtain a license from the national regulator of one of the member states (e.g., BaFin in Germany, AMF in France).

Capital requirements (Art. 67 MiCA):

  • €50,000 for advisory services.
  • €125,000 for exchange operators.
  • €150,000 for trading platform operators and custodians.

Passporting:
A license obtained in one EU country grants the right to operate throughout the Union after a notification procedure via the European Securities and Markets Authority (ESMA).

Sanctions for violations (Art. 111 MiCA):
Fines up to €5 million or 3% of annual turnover for legal entities, license revocation, personal bans for management.

2.2. Personal Data Protection (GDPR)

CASPs are required to comply with the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) when processing client data.

Legal basis for processing:
Art. 6 GDPR — "compliance with a legal obligation" (AML/KYC under AMLD5 and MiCA).

Impact Assessment (DPIA):
Mandatory for large-scale data processing within KYC.

Conflict between AML and the Right to Erasure:
AMLD5 obliges the storage of KYC data for 5 years after the termination of the relationship with the client. If a data deletion request is made before this period expires, the company is obliged to refuse, citing this legal obligation.

Liability for violations:
Fines up to €20 million or 4% of the company's annual worldwide turnover.

2.3. Cybersecurity and Operational Resilience (DORA)

The DORA (Digital Operational Resilience Act, (EU) 2022/2554) regulation establishes cybersecurity requirements for financial organizations, including CASPs.

Key requirements:

  • ICT Risk Management: Implementation of an information and communication technology risk management system.
  • Incident Reporting: Classification and notification of regulators regarding serious cyber incidents.
  • Penetration Testing: Regular conducting of tests to verify system resilience.
  • Third-party risk management: Cybersecurity control of ICT service providers (e.g., cloud providers).

Part 3. Cross-jurisdictional Procedures

3.1. Sanctions Compliance

Key lists:
OFAC SDN List (USA), EU Consolidated List, UK Sanctions List, UN Security Council lists, Rosfinmonitoring list.

Screening frequency:

  • Onboarding: Upon client registration.
  • Periodic: Regular screening of the entire client base (quarterly).
  • Transactional: Before performing outgoing transactions.

Tools:
Sanctions list aggregators (Refinitiv, Dow Jones) and on-chain analytics services for checking crypto addresses (Chainalysis, Elliptic, Crystal).

Algorithm for handling matches (hits):

  1. Detection: An automated system detects a match.
  2. Analysis: A compliance analyst excludes a false positive. SLA: 4 working hours.
  3. Decision: If the match is confirmed, assets are immediately frozen. SLA: 24 hours.
  4. Regulator Notification: Report the freeze to the competent authority (OFAC, national EU regulator, Rosfinmonitoring) within the established timeframe.

3.2. Operational Procedures and Governance

Role Allocation (RACI Matrix):

Task / ProcessResponsibleAccountableConsultedInformed
Conducting AML screeningCompliance AnalystCompliance Officer (MLRO)Legal DeptManagement
Filing an FES reportCompliance Officer (MLRO)CEOLegal Dept
Blocking a sanctioned accountCompliance AnalystCompliance Officer (MLRO)Legal DeptFinance Dept

Incident Escalation Process:

  1. Level 1 (Compliance Analyst): Identification of a suspicious transaction or sanctions match.
  2. Level 2 (Compliance Officer/MLRO): Verification, decision-making (approve, reject, request documents, file report).
  3. Level 3 (Management/Lawyers): Consideration of high-risk cases, decision on terminating the relationship with the client.

Audit Log and KPI:

Audit Log:
All actions (checks, decisions, reports) are logged with client/transaction ID, date, employee name, and justification. Storage period — at least 5 years.

KPIs for the compliance department:

  • Average time to process an AML alert: < 24 hours.
  • False positive rate: < 15%.
  • Number of suspicious activity reports filed (SAR/STR).
  • Percentage of transactions checked via AML service: 100%.

Part 4. Practical Tools

4.1. AML Transaction Screening Algorithm

  1. Address Check: Before accepting funds, check the sender address via an AML service.
  2. Risk Signal Analysis: Analyze high-risk markers: links to the darknet, mixers, sanctioned wallets, gambling platforms, fraud.
  3. Decision Making: Set an internal risk threshold (e.g., do not accept funds with a risk score above 70% or direct contact with high-risk sources).
  4. Actions for High Risk:
    • Do not accept the transfer. Request sending from another, "clean" address.
    • Document the refusal by saving the AML report (PDF/screenshot).
    • Decide on filing a suspicious operation report.

4.2. Service Refusal Template

Dear [Client Name],

In accordance with our internal Anti-Money Laundering Policy (AML/CFT), we have conducted a check of the address you provided [Wallet Address]. Based on the results of the check (Report ID: [Report ID in AML system]), risks incompatible with our standards were identified.

On this basis, we cannot accept your transfer and are forced to refuse further service.

Regards,
Compliance Department
[Your Company Name]

Conclusion: 90-day Action Plan

  1. First 30 days (Foundation):

    • Legal Structure: Register as an IP/LLC. Conduct an audit of rights to objects and import procedures for equipment (for miners).
    • Energy Audit: Apply for TC or bring the contract into compliance.
    • Choosing an AML Provider: Test and select a service for AML and sanctions screening.

  2. Next 60 days (Procedure Implementation):

    • Policy Development: Create and approve internal regulations: AML/CFT, sanctions compliance, data protection policy (GDPR), cybersecurity policy (DORA), escalation procedure. (See Appendix 4).
    • KYC/CDD Implementation: Start collecting and verifying client data. (See Appendix 1).
    • Automation: Integrate the AML service into business processes.

  3. 90+ days (Systematization and Monitoring):

    • Staff Training: Conduct training sessions on new compliance procedures.
    • Regular Audit: Schedule a quarterly risk review and policy update.
    • Legislation Monitoring: Appoint a person responsible for tracking changes in 115-FZ, MiCA, DORA, and sanctions regimes.

Appendices

Appendix 1: KYC Form Template (Key Fields)

For individuals:
Full name, date of birth, citizenship; identity document details; registration and residence address; TIN (or equivalent); proof of Source of Funds (SoF) for large transactions.

For legal entities:
Full name, registration number (OGRN/INN); legal address; ownership structure (chart showing shares); UBOs data (form as for individuals); confirmation of the Source of Wealth (SoW).

Appendix 2: FES Report Template (Main Fields)

FES Code:
01 (mandatory control) or 04 (suspicious operation).

Organization Details:
Name, TIN/KPP.

Participant Details:
Full details (Name, documents, address).

Operation Details:
Date, amount, currency, basis.

Signs of a Suspicious Operation:
Codes from the Rosfinmonitoring list (e.g., 2201 — complex nature of the transaction, 1110 — connection with sanctioned persons).

Additional Information:
Description of the reasons why the operation was deemed suspicious.

Appendix 3: Checklist of Documents for Technological Connection (TC)

  1. Application for TC according to the established form.
  2. Location plan of power-receiving devices (PRD).
  3. List and power of PRD (ASIC miners, cooling systems).
  4. Copies of title documents for the object (Extract from EGRN or lease agreement).
  5. Copies of constituent documents (for LLC) or passport (for IP).
  6. Power of attorney (if the application is submitted by a representative).

Appendix 4: Internal AML/CFT Policy Structure

  1. Introduction: Goals, objectives, applicable legislation.
  2. Terms and Definitions.
  3. Risk Management Program: Risk assessment methodology (clients, countries, products), risk appetite.
  4. Client Identification Procedure (KYC/CDD/EDD): Requirements for data collection, verification, UBO identification.
  5. Transaction Monitoring: Rules, threshold values, red flags.
  6. Sanctions Compliance: Screening procedure, handling matches.
  7. Procedure for Informing the Authorized Body: Procedure for preparing and sending FES.
  8. Data and Document Storage.
  9. Staff Training.
  10. Internal Audit and Control.
  11. Roles and Responsibilities: Including the appointment of a responsible officer (MLRO).

Footnotes

  1. Code of the Russian Federation on Administrative Offenses dated 30.12.2001 N 195-FZ.

  2. Criminal Code of the Russian Federation dated 13.06.1996 N 63-FZ.

  3. Decree of the Government of the RF dated 27.12.2004 N 861.

  4. Federal Law dated 07.08.2001 N 115-FZ "On Counteracting the Legalization (Laundering) of Proceeds from Crime and the Financing of Terrorism."

Tags

crypto mining compliance
russia crypto regulation
eu crypto regulation
vasp casp licensing
electricity consumption for mining