FATF publishes updated guidance on virtual assets to align crypto sector with legacy financial system

Context

On 28 October 2021, the Financial Action Task Force (FATF) published “Updated Guidance for a Risk-Based Approach to Virtual Assets (VAs) and Virtual Asset Service Providers (VASPs)”. 

The Guidance describes how FATF recommendations apply to countries and competent authorities, as well as to VASPs and other obliged entities that engage in VA activities, including financial institutions (FIs).

Almost all the FATF recommendations (and all the preventive measures in recommendations 9 through 21) are directly relevant to address the money laundering and terrorism financing (ML/TF) risks associated with VAs and VASPs.

In general, the FATF recommendations apply to VASPs in the same manner as FIs, with two specific qualifications:

• The occasional transaction threshold,¹ above which VASPs are required to conduct customer due diligence (CDD), is USD/EUR1,000 (rather than USD/EUR15,000); and
• The wire transfer rules set out in Recommendation 16 apply to VASPs and VAs transfers in a modified form (so-called “travel rule”).
   

What’s new in the updated Guidance?

This updated Guidance is focused on six key areas to:

1. Clarify the definitions of VA and VASP to spell out that these definitions are expansive and there should not be a case where a relevant financial asset is not covered by the FATF standards (either as a VA or as another financial asset);
2. Provide guidance on how the FATF standards apply to stablecoins and clarify that a range of entities involved in stablecoin arrangements could qualify as VASPs under the FATF Standards;
3. Provide additional guidance on the risks and tools available to countries to address the ML/TF risks for peer-to-peer (P2P) transactions, which are transactions that do not involve any obliged entities;
4. Provide updated guidance on the licensing and registration of VASPs;
5. Provide additional guidance on the implementation of the travel rule; and
6. Include principles of information sharing and cooperation amongst VASP supervisors.

Extended definition of VAs and VASPs

The Guidance increases its scope to include new types of digital assets and providers of certain services in these assets as VAs² and VASPs³, effectively leading to a situation where no financial asset will be interpreted as falling entirely outside the FATF Standards.

If non-fungible tokens (NFTs⁴) are to be considered as VAs, this should be determined on a case-by-case basis.

A decentralized finance (DeFi⁵) application (i.e., a software program) is not a VASP, as the FATF Standards do not apply to underlying software or technology. However, creators, owners and operators, or other persons who maintain control or sufficient influence over DeFi arrangements may fall under the FATF definition of a VASP if they provide or actively facilitate VASP services.
 

How do FATF standards apply to stablecoins?

If stablecoin arrangements have a central developer or governance body, they will generally be covered by the FATF standards either as a FI or a VASP. Therefore, such bodies should undertake ML/TF risk assessments before the launch or use of the stablecoin, and take appropriate measures to manage and mitigate risks across the arrangement before launch.

However, countries should carefully consider the risks posed by stablecoins that lack such a readily identified central body and the need for mitigation measures, especially those recommended for P2P transactions. Additionally, this does not only apply to software code developers, but rather the persons involved in stablecoin arrangements that provide financial services covered by the VASP definition. A range of other entities in the stablecoin arrangement may also have AML/CFT obligations, such as exchanges or custodial wallet services.

Particular concern with stablecoins highlighted by the FATF is their potential for mass-adoption, which could heighten ML/TF risks.
 

P2P transactions currently out of reach

P2P transactions⁶ are not explicitly subject to AML/CFT controls under the FATF standards. This is because the FATF Standards generally place obligations on intermediaries (“obliged entities”), rather than on individuals themselves.

Therefore, illicit actors could exploit this to obscure the proceeds of crime because there is no obliged entity carrying out the core functions of the FATF Standards, such as CDD and suspicious transaction reports (STRs).

For this reason, FATF urges for ML/TF risks related to P2P transactions to be monitored by countries and VASPs in an ongoing and forward-looking manner (especially if there is a clear trend of increasing P2P transactions to the point that illicit activity was occurring to a “significant degree”). The Guidance now provide a set of measures that countries should consider to mitigate these risks at a national level.
 

Smart contracts⁷ and the struggle to define a VASP

Using an automated process like a smart contract to carry out VASP functions does not relieve the part(ies) of their VASP obligations and responsibilities. In these instances, controlling parties that qualify as VASPs should undertake ML/TF risk assessments before the platform is launched or used and take appropriate measures to mitigate risks.

However, it can be challenging in certain circumstances to identify which entities are VASPs and define their regulatory perimeter. When there is a need to assess a particular entity to determine whether it is a VASP or evaluate a business model where the VASP status is unclear, the Guidance provides a few general questions that can help supervisors guide the answer (such as who profits from the use of the service, who established the rules and can change them, who can shut down the product or service etc).

Which VASPs should be licensed or registered?

Countries should designate one or more authorities responsible for licensing and/or registering VASPs, either by including VASPs into an existing licensing regime or creating a new one.

VASPs should be required to be licensed or registered in the jurisdiction(s) where they are created. This could prove challenging to determine if a VASP is a natural person (in certain circumstances, even the primary residence of a person or the location of a server may be regarded as a person’s “place of business”).

While not required by the FATF standards, host countries may also require VASPs that offer products and/or services to customers in, or that conduct operations from, their jurisdiction to be licensed or registered in the jurisdiction. The Guidance provides a set of criteria to help identify when services are considered to be provided on a cross-border basis (e.g., location of offices and servers, promotional communications targeting specific countries/markets, the language on the VASP website and/or mobile application, etc.)

A country does not need to impose a separate licensing or registration system for VASPs regarding already licensed FIs (as defined by the FATF Recommendations) within that country.
 

Wire transfers and the travel rule

Providers in the VA space must comply with the requirements of Recommendation 16. In other words, they must obtain and submit the required originator and beneficiary information associated with VA transfers to identify and report suspicious transactions, take freezing actions, and prohibit transactions with designated persons and entities. In the VA context, this obligation is known as “the travel rule”.

These requirements apply to both VASPs and other obliged entities such as FIs when they send or receive VA transfers on behalf of a customer. The Guidance now provides very detailed information on what data needs to be obtained for this purpose.

The travel rule applies to VASPs when their transactions, whether in fiat currency or VA, involve: 

• A traditional wire transfer;
• A VA transfer between a VASP and another obliged entity⁸ (e.g., between two VASPs or between a VASP and another obliged entity, such as a bank or other FI); or
•  A VA transfer between a VASP and a non-obliged entity⁹ (i.e., an unhosted wallet).

Considering the cross-border nature of VA activities and VASP operations, all VA transfers should be treated as cross-border wire transfers rather than domestic wire transfers.

Transaction fees¹⁰ relating to a VA transfer are not within the scope of the travel rule. Therefore, VASPs do not need to identify the recipient of the transaction fee, because the recipient is not the originator nor the recipient of the VA transfer itself.

VASPs or other obliged entities involved in VA transfers must transmit the required originator and beneficiary information to the beneficiary institution:

• Immediately (before or when the VA transfer is conducted; “post facto” submission is not permitted); and
• Securely (in a way to facilitate the record-keeping and use of such information by receiving VASPs or other obliged entities and protect the information from unauthorized disclosure).

Where there is no beneficiary institution, this information must still be collected.

The required information does not need to be communicated as part of (or incorporated into) the transfer on the blockchain or other DLT platform itself. It can be submitted to the beneficiary VASP using an entirely distinct process from that of the blockchain or other DLT VA transfer. Any technology or software solution is acceptable as long as it enables the ordering and beneficiary institution to comply with its AML/CFT obligations.

For example, a solution for obtaining, holding and transmitting the required information could be:

• Code that is built into the VA transfer’s underlying DLT transaction protocol;
• A solution that runs on top of the DLT platform (e.g., using a smart contract, multiple-signature, or any other technology); or
• An independent (i.e., non-DLT) messaging platform or application program interface (API).

The Guidance provides concrete examples of existing technologies that providers could use to identify and transfer the originator and beneficiary information, in near real-time, before a VA transfer is conducted on a DLT (such as public and private keys, transport layer security/secure sockets layer [TLS/SSL] connections, X.509 certificates, etc.).
 

How to approach CDD when a counterparty is another VASP

As with all customers, FIs should apply a risk-based approach (RBA) when considering establishing or continuing relationships with VASPs or customers involved in VA activities, evaluate the ML/TF risks of the business relationship, and assess whether these risks can be appropriately mitigated and managed. FIs must apply the RBA properly and not resort to the wholesale termination or exclusion of business relationships within the VASP sector without an appropriately targeted risk assessment (hence, FIs should be cautious of their “de-risking” practices).

The FATF warns that, as long as the global implementation of the FATF standards on VASPs is lacking, managing these kinds of relationships will pose a continuing challenge. Besides this Guidance, VASPs and FIs should consider the FATF Guidance on Correspondent Banking Services, as there are similarities in the CDD approach which can be of assistance.

A counterparty VASP’s AML/CFT controls should be assessed to avoid submitting customer information to illicit actors or sanctioned entities, and to ensure the VASP can adequately protect sensitive information. The assessment should also confirm that the counterparty’s AML/CFT controls are subject to independent audit, whether external or internal.

For clarity, a VASP must undertake counterparty VASP due diligence before transmitting the required information to a counterparty. VASPs do not need to undertake the counterparty VASP due diligence process for every VA transfer.
  

Strengthening of supervisory cooperation

The Guidance includes a new section that discusses the FATF principles of information sharing and cooperation amongst VASP supervisors. These are non-binding principles for supervisors that introduce a wide range of requirements (e.g., that supervisors should acknowledge receipt of requests, respond to requests for information, and provide interim partial or negative responses in a timely manner) and facilitate cooperation between counterparts and exchange of relevant information.
 

Looking ahead ... FATF to focus on stablecoins, P2P, NFTs and DeFi

The FATF remains vigilant and will continue to closely monitor the VA sector for any material changes that require further revision or clarification of the FATF standards, especially in the area of stablecoins, P2P, NFTs and DeFi.

¹ Please note that FIs must still adhere to their respective CDD thresholds when engaging in covered VA activities.

² VAs are a digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes. VAs do not include digital representations of fiat currencies, securities, and other financial assets that are already covered elsewhere in the FATF recommendations.

³ A VASP is any natural or legal person who is not covered elsewhere under the FATF recommendations and as a business that conducts one or more of the following activities:

• Exchange between VAs and fiat currencies;
• Exchange between one or more forms of VAs;
• Transfer of VAs; and/or
• Safekeeping and/or administration of VAs or instruments enabling control over VAs.

⁴ Digital assets that are unique, rather than interchangeable, and that are in practice used as collectibles rather than as payment or investment instruments.

⁵ A decentralized software program that operates on a blockchain and offers financial services.

⁶ VA transfers conducted without the use or involvement of a VASP or other obliged entity (e.g., VA transfers between two unhosted wallets, whose users are acting on their own behalf).

⁷ Computer program or a protocol that is designed to automatically execute specific actions such as a VA transfer between participants without the direct involvement of a third party.

⁸ Full travel rule requirements apply.

⁹ Certain exemptions from the travel rule are allowed.

¹⁰ The amounts of VA that may be collected by the miner who includes the transaction in a block.

How can Deloitte help you?

Deloitte’s subject matter specialists can help you design and implement your business strategy in light of the evolution of regulatory frameworks and market trends.

Key Deloitte services include:

• Assessment and guidance with updating compliance control frameworks and policies
• Assistance with financial crime risk assessments
• Review of client files (KYC) and the provision of a remediation plan
• AML/CFT training
• DKYC: externalizing KYC processes

Deloitte’s Regulatory Watch service helps you stay ahead of the regulatory curve to better manage and plan upcoming regulations.

Contacts

Subject matter specialists

Regulatory Watch Kaleidoscope service