Key Takeaways From the FATF Updated Guidance on VAs and VASPs
Merkle Science
Introduction
On October 28, 2021 the FATF issued its promised updated guidance for virtual assets (VAs) and virtual asset service providers (VASPs). The FATF thoughtfully collected insight from the industry and consulted transaction monitoring firms, including Merkle Science, to better-understand how crypto crime has evolved and how crypto is being used for illicit activity. The updated guidance addresses many of the most pressing issues in the crypto industry identified from the FATF’s Second 12 Month Review of the Revised FATF Standards on VAs and VASPs. It offers clarifications to standards established in its previous draft guidance, including DeFi, peer-to-peer (P2P) transactions, stablecoins, the Travel Rule, and more.
Below are Merkle Science’s key takeaways from the updated guidance that crypto-asset business should take note of:
VASP or not VASP? The FATF introduces the owner/operator test
The FATF’s draft updated guidance, released in March 2021, stated that DeFi projects would be considered a VASP "when they engage as a business in facilitating or conducting the activities." Under this definition, those service providers that were previously not under the FATF’s purview — such as non-custodial software wallets, multi-sig services, and software-based decentralized exchanges — were considered to be VASPs.
In its updated guidance, the FATF introduced the owner/operator test and removed the term ‘facilitate’ which it had introduced in its March draft updated guidance for determining whether an entity/individual involved in an DeFi arrangement is a VASP The FATF has stated that “creators, owners, and operators or some other persons who maintain control or sufficient influence in the DeFi arrangements, even if those arrangements that seem decentralized, may fall under the FATF definition of a VASP where they are providing or actively facilitating VASP services”. The FATF has given a non-exhaustive list of activities that could be construed as being done by the owner/operators. These examples include exercising sufficient influence over the assets or service protocol and the existence of a business relationship between the owner/operator and the consumer (regardless of whether it is exercised through smart contract or voting protocols). Additionally, the FATF suggests that countries take into account other factors as well, such as considering whether the party can set or change parameters to identify the owner/operator of a DeFi arrangement and determining whether any entity or individual is profiting from the service being offered.
Adopting a technology-neutral approach, the FATF clarified that DeFi applications (dApps) are not VASPs as the FATF standards do not apply to the underlying technology. Therefore, software developers creating or selling dApps on VA platforms will not be considered VASPs, unless they specifically use the dApp/platforms to engage in VASP functions, as a business on behalf of others.
Further, the FATF guidance has also clarified that individual governance token holders would not fall under the definition of a VASPs and the AML/CFT obligations will lie with entities exercising control or sufficient influence over the Defi platform. However, if the individual token owners satisfy the owner/operator test they may be considered VASPs
The FATF has stated that even if a DeFi project has no owners or operators, countries may require that a regulated VASP be involved in the DeFi project’s related activities. And if a project is completely decentralized, then it will likely not be considered a VASP by the FATF. Ultimately, the FATF has given leeway to the jurisdictions to interpret and apply the definitions broadly.
Countries should work with private sector to understand P2P risks
Peer-to-peer (P2P) transactions are also of concern, as the FATF has restated that self-hosted wallets present higher AML/CFT risks. Surprisingly, the FATF has moved away from its earlier suggestion that countries may consider “denying licensing of VASPs if they allow transactions to/from private or unhosted wallets. This shift in guidance may have resulted from the FATF’s recognition that banning unhosted wallets may be ineffective, due to their borderless nature.
P2P transactions are not explicitly subjected to AML/CFT controls under the FATF standards. The FATF, however, has urged countries to work together with the private sector to provide proper training to financial investigators and law enforcement and to leverage blockchain analytics tools such as Merkle Science to understand risks, methodologies, and suspicious behavior.
Governance and access determine stablecoin classification
In its latest guidance, the FATF recognized the differences in the structure of stablecoins, noting that they can be centralized or decentralized — both in terms of their governance and in terms of who can access the stablecoin (ie. whether the stablecoin can be transferred to and used by an unhosted wallet).
In centralized stablecoins, a governance body consisting of one or more natural legal persons, establishes the rules governing stablecoin arrangement, such as the functions of the stablecoin. These centralized governance bodies will be considered by the FATF standards to be either as financial institutions or VASPs. Such a body will, therefore, be required to undertake ML/TF risk assessments before the launch or use of the stablecoin and take appropriate measures to manage and mitigate risks across the arrangement before launch.
The FATF also recognizes that not all stablecoins may have a readily identified central body that may be identified as a VASP or a FI. In such cases, entities drive the development and launch of such an arrangement before its release. If these entities are businesses carrying out VASPs function, then they will have to fulfill AML/CFT requirements in the pre-launch stage.
The FATF has also stated if there is not an identifiable VASP or FI, then jurisdictions should proactively consider the risks that a given stablecoin poses and take mitigation measures if required.
VASPs that have not implemented the Travel Rule considered “higher risk”
In its most recent guidance, the FATF has concluded that VASPs that have not implemented the Travel Rule should be considered higher-risk. In addition, when interacting with unhosted wallets, VASPs must continue to collect the required information with respect to each of their customers.
To ensure smooth implementation of the Travel Rule and to do away with uncertainties, the FATF has explained how the travel rule applies to transactions involving automatic refunds. In scenarios where a VASP (originator VASP) may have to send a greater amount of VA than the actual amount of VA to be transferred, with the difference automatically refunded to the originator VASP. In such a scenario, the travel rule does not apply to the recipient VASP in respect of the refund, as refund forms part of the transfer by the ordering VASP.
To ensure that they are compliant with the travel rule, VASPs are now required to undertake counterparty due diligence before they transmit the required information to another VASP. This is done to protect the VASPs from engaging with illicit actors or sanctioned actors unknowingly. In situations where VASPs have previously conducted counterparty due diligence for certain VASPs, then the VASPs do not have to undertake counterparty due diligence again for every individual VA transfer, unless there is a suspicious transaction history or other information.
Data security is one of the primary issues plaguing the implementation of the Travel Rule. In the updated guidance, the FATF has tried to strike a balance between the implementation of the Travel Rule and protection of sensitive data. As per the FATF, a VASP needs to assess the counterparty VASP’s AML/CFT controls to avoid submitting their customer information to illicit actors or sanctioned entities. The VASPs should also consider whether there is a reasonable basis to believe the VASP can adequately protect sensitive information. When a VASP has a reasonable belief that the counterparty VASP will not be able to transmit the user data securely, then in such situations, a VASP may choose not to share customer data with the counterparty VASP.
In the case of unhosted wallets, wherein there is no involvement of the originator or beneficiary institution, a VASP must still collect the required information with respect to their customer.
NFTs not considered virtual assets… for now
The FATF has clarified that NFTs or crypto-collectibles generally fall outside the virtual asset definition but may be considered such if used for payment or investment purposes in practice.
Why Merkle Science
Once again, the FATF specifically highlighted the need of using technology-based solutions for transaction monitoring and enhanced due diligence to combat AML/CFT crimes. Merkle Science’s highly customizable and easy-to-use platform provides near real-time detection of blockchain transactional risks Our predictive cryptocurrency risk and intelligence platform set the standard for the next generation of financial safeguards and criminal detection. Merkle Science proprietary Behavioral Rule Engine allows users to tailor the tool according to VASP’s own risk policies based on the FATF standards so that businesses may stay ahead of emerging illicit activities and fulfill their local compliance obligations.
Furthermore, with the FATF reemphasizing the need for strict implementation of the Travel Rule, Merkle Science stands in support of the crypto industry, nations, and VASPs as they gear themselves for implementation of the Travel Rule.