In an on-going effort to set international standards that aim to prevent illegal activities, the Financial Action Task Force (FATF) released a public consultation on 19 March 2021 for its latest Draft Guidance on a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers. This draft is an update of the FATF’s March 2019 guidance, which placed anti-money laundering and financing of terrorism obligations on virtual assets (VAs) and virtual asset service providers (VASPs).
As the industry has evolved — and continues to evolve — since then, the latest draft guidance provides updates in six main regulatory areas, as well as clarifications on specific terms and how aspects of the guidance should be interpreted. As we review the updates and proposals, it is prudent to keep in mind the FATF’s goals:
- To maintain a level playing field for VASPs based on the financial services they provide in accordance with the current international standards placed on financial institutions or other institutions that must comply with AML/CFT regulations
- To minimize the opportunity for “regulatory arbitrage” between sectors and countries
The document highlights and provides updated guidance in predominantly six regulatory areas, which include:
1) Clarity on the definitions of VA and VASP: The FATF makes clear in the draft guidance that the definitions of VA and VASP are inclusive and wide-ranging. In other words, there should not be a relevant financial asset that is not covered by The FATF Standards. Amongst this, the following are considered to be VAs and VASPs:
- Decentralized exchanges (DEXs)
- Certain non-fungible tokens (NFTs) that may possibly facilitate money laundering and terrorism funding activities
- Crypto escrow services, which implies to include DeFi protocols
- Certain decentralized application (dApp) owners and operators, even though the dApps themselves are not VASPs
2) Stablecoins in relation to the FATF Standards: As stablecoins are coming to the fore, the draft guideline states that stablecoins are virtual assets and FATF Standards apply to these instruments. However, government-issued Central Bank Digital Currencies (CBDCs) are not considered VAs and, therefore, FATF Standards do not apply.
3) Peer-to-peer (P2P) transaction risks and potential risk mitigants: While P2P transactions are not explicitly subject to the FATF’s AML/CFT obligations, the FATF recognizes that P2P transactions may “heighten ML/TF risk” and may be used to avoid AML/CFT controls imposed upon VASPs or other obligated entities. As P2P transfers gain mainstream traction, this may lead to systemic ML/TF vulnerabilities.
4) Updated guidance on the licensing and registration of VASPs: While there is some flexibility for jurisdictions when it comes to VASP licensing and registration, VASPs should be required to be licensed or registered in the jurisdiction where they’re created at a minimum. Countries may also require VASPs that are offering products and services to users in their jurisdiction to be licensed or registered. Country regulators and authorities should have mechanisms in place to monitor VASPs in their jurisdictions and identify individuals who carry out VA activities and operations without proper licensing and registration.
5) Additional guidance for the public and private sectors on ‘Travel Rule’ implementation: The FATF has indicated that VASPs are considered high risk if they have not yet implemented the “Travel Rule” — and need to undertake counterparty VASP due diligence before they transmit the required information. Should the beneficiary jurisdiction lack regulation, originating VASPs may require ‘Travel Rule’ compliance from beneficiaries by contract or business practice based on the VASP’s individual risk analysis.
In the case of P2P transactions, where there is not an originator or beneficiary institution, the beneficiary VASP must still collect the required information with respect to their customer and jurisdictions should consider requiring VASPs to treat such VA transfers as higher-risk transactions that require enhanced scrutiny.
6) Principles of information sharing and co-operation amongst VASP Supervisors: Due to the cross-border nature of VAs and VASPs, information sharing by international authorities and the private sector is critical. Under the new guidance, the FATF has developed a list of Principles of Information Sharing and Co-operation between VASP Supervisors, which covers identifying Supervisors and VASPs and best practices for information exchange and co-operation between jurisdictions. This includes:
- Each country must designate at least one competent authority as their VASP Supervisor(s); the authority must not be a self-regulatory body
- The VASP Supervisor(s) must be clearly identified by countries
- Should a VASP operate in more than one jurisdiction, a primary Supervisor should be identified based on where the VASP has a significant portion of its business
A number of jurisdictions are using or exploring the use of blockchain analytics tools like Merkle Science’s Blockchain Monitor to assist with their supervision in a number of ways — from assessments of individual firms to categorizing the highest risk firms based on their activities. (See paragraph 209)
The FATF also proposed several new ideas, no doubt as a result of the recent surge in interest and market entry into the cryptocurrency sector. These include:
- VASPs’ obligation to assess and mitigate proliferation financing (PF) risks, which includes the financing of nuclear, chemical, and biological weapons
- Guidelines on best practices for counterparty VASP due diligence
- Options for mitigating P2P transfer risks
- Further ‘Travel Rule’ guidance and clarifications
It is important to note that the FATF places the onus of P2P transaction risk identification and mitigation on VASPs and countries. VASPs should consider — starting from the design or development phase — whether any virtual assets or future products will enable P2P transactions, which may include unhosted wallet transfers. If so, VASPs should also consider how to mitigate ML/TF risks. In turn, countries should consider how the ML/TF risks of P2P transactions may be mitigated through, for example, Merkle Science’s blockchain analytics tools. Our coverage of P2P exchanges, along with our behavior-based rules, can help VASPs detect untagged P2P wallets as well. (See paragraph 35).
How Merkle Science Can Help
In addition to the latest proposals mentioned above, VASPs have been taking advantage of our highly-customizable Blockchain Monitor and Merkle Science Investigator tools in areas such as:
- Applying guidelines and feedback provided by authorities and law enforcement through Blockchain Monitor to combat ML/TF and to detect and report suspicious activities (See paragraph 196, Recommendation 34)
- Managing and mitigating transactions that use anonymity-enhancing technologies — such as mixers and tumblers — that obfuscate the identity of the sender, recipient, holder, or beneficiary of a virtual asset (See paragraph 151)
Provide Feedback to the FATF
The FATF is currently seeking feedback from the private sector — particularly representatives from the VA and VASP communities, technology developers and providers, other regulated entities such as banks, and authorities — before it finalizes its updated guidance in June 2021. Merkle Science will be submitting suggestions to Global Digital Finance and CryptoUK — two leading associations advocating for the best practices and highest standards of conduct when it comes to virtual assets.
Should this be of interest, feedback may be sent to FATF.Publicconsultation@fatf-gafi.org with the subject line “Comments of [author] on the draft revised VASP Guidance” by 20 April 2021 (18:00 UTC).
Respondents who wish to provide their views should focus on the following areas:
- Does the revised Guidance on the VASP definition better-clarify which businesses are undertaking VASP activities? (See paragraphs 47–79)
- What are the most effective ways to mitigate the ML/TF risks relating to P2P transactions? (See paragraphs 34–35 and 91–93)
- Does the revised Guidance in relation to the ‘Travel Rule’ need further clarity? (See paragraphs 152–180 and 256–267)
- Does it provide clear instruction on how FATF Standards apply to so-called stablecoins and related entities? (See Boxes 1 and 4 and paragraphs 72–73, 122 and 224)
- Are there any further comments and specific proposals to make the revised Guidance more useful to promote the effective implementation of FATF Standards?
Respondents must indicate the following in their emails*:
- Name of their organization
- Nature of their business (VASP, technology provider, academic, policy body, other regulated entity)
- Contact details
*The contact information respondents provide will be used for the purpose of this public consultation only and won’t be shared with third parties without the respondent’s consent.