FATF Recommendations on virtual assets


FATF Recommendations on virtual assets

26 June 2019

Regulatory News Alert

Context and objectives

In October 2018, the Financial Action Task Force (FATF) adopted changes to its Recommendations to explicitly clarify that they apply to financial activities involving virtual assets (VA) and virtual asset service providers (VASPs). The amended FATF Recommendation 15 therefore requires that VASPs are regulated for anti-money laundering and combating the financing of terrorism (AML/CFT) purposes, licenced or registered, and subject to effective systems for monitoring or supervision.

Furthermore, in June 2015, FATF adopted Guidance for a Risk-based Approach to Virtual Currencies (Guidance). Now the FATF have issued an updated Guidance in order to further explain the application of the FATF Recommendations to countries and competent authorities; as well as to VASPs and other obliged entities that engage in VA activities, including financial institutions such as banks and securities broker-dealers.

Scope of FATF standards

The FATF has agreed that all of the funds- or value-based terms in the FATF Recommendations (e.g., property, proceeds, funds, funds or other assets, and other corresponding value) include VAs and that countries should apply all of the relevant measures under the FATF Recommendations to VAs, VA activities, and VASPs.

Therefore, almost all of the FATF Recommendations are directly relevant to address the ML/TF risks associated with VAs and VASPs, while other Recommendations are less directly or explicitly linked to VAs or VASPs, though are still relevant and applicable. VASPs therefore have the same full set of obligations as financial institutions or as a Designated Non-Financial Business and Profession (DNFBPs).

Risk-based approach

The updated Guidance seeks to clarify how should VASPs design and implement their risk-based AML/CFT approach, including the application of preventive measures such as customer due diligence, record-keeping, and suspicious transaction reporting.

In addition to consulting the previous factors set out in the 2015 Guidance, VASPs should consider the following elements when identifying, assessing, and determining how best to mitigate the risks associated with covered VA activities and the provision of VASP products or services:

a) The potentially higher risks associated both with VAs that move value into and out of fiat currency and the traditional financial system and with virtual-to virtual transactions
b) The risks associated with centralized and decentralized VASP business models
c) The specific types of VAs that the VASP offers or plans to offer and any unique features of each VA, such as AECs, embedded mixers or tumblers, or other products and services that may present higher risks by potentially obfuscating the transactions or undermining a VASP’s ability to know its customers and implement effective customer due diligence (CDD) measures
d) The specific business model of the VASP and whether that business model introduces or exacerbates specific risks
e) Whether the VASP operates entirely online (e.g., platform-based exchanges) or in person (e.g., trading platforms that facilitate peer-to-peer exchanges or kiosk-based exchanges)
f) Exposure to Internet Protocol (IP) anonymizers such as The Onion Router (TOR) or Invisible Internet Project (I2P), which may further obfuscate transactions or activities and inhibit a VASP’s ability to know its customers and implement effective AML/CFT measures
g) The potential ML/TF risks associated with a VASP’s connections and links to several jurisdictions
h) The nature and scope of the VA account, product, or service (e.g., small value savings and storage accounts that primarily enable financially-excluded customers to store limited value)
i) The nature and scope of the VA payment channel or system (e.g., open- versus closed-loop systems or systems intended to facilitate micro-payments or government-to-person/person-to-government payments)
j) Any parameters or measures in place that may potentially lower the provider’s (whether a VASP or other obliged entity that engages in VA activities or provides VA products and services) exposure to risk (e.g., limitations on transactions or account balance).

The Guidance makes clear that VASPs, and other entities involved in VA activities, need to apply all the preventive measures described in FATF Recommendations 10 to 21. The Guidance explains how these obligations should be fulfilled in a VA context and provides clarifications regarding the specific requirements applicable to the US$/€1,000 threshold for VA occasional transactions, above which VASPs must conduct customer due diligence (Recommendation 10); and the obligation to obtain, hold, and transmit required originator and beneficiary information, immediately and securely, when conducting VA transfers (Recommendation 16).

Considerations for competent authorities

The Guidance explains the VASP registration or licensing requirements, in particular how to determine in which country/ies VASPs should be registered or licensed – at a minimum where they were created; or in the jurisdiction where their business is located in cases where they are a natural person, but host jurisdictions can also chose to require VASPs to be licensed or registered before conducting business in their jurisdiction or from their jurisdiction.

The Guidance further underlines that national authorities are required to take action to identify natural or legal persons that carry out VA activities without the requisite license or registration.

Regarding VASP supervision, the Guidance makes clear that only competent authorities can act as VASP supervisory or monitoring bodies, and not self-regulatory bodies. They should conduct risk-based supervision or monitoring, with adequate powers, including the power to conduct inspections, compel the production of information and impose sanctions.

Other information that may be relevant in the AML/CFT context includes the fitness and propriety of the VASP’s management and compliance functions.

There is a specific focus on the importance of international co-operation between supervisors, given the cross-border nature of VASPs’ activities and provision of services.

Finally, the Guidance provides examples of jurisdictional approaches to regulating, supervising, and enforcing VA activities, VASPs, and other obliged entities for AML/CFT (in Italy, Norway, Sweden, Finland, Mexico, Japan and USA).

How can Deloitte help?

In this rapidly evolving crossroads between regulations, Deloitte can help you stay ahead of the game with our Kaleidoscope Regulatory Watch services, which monitors and analyzes upcoming changes.

Deloitte’s AML/CTF advisory specialists and dedicated services will also help you design and implement your renewed business strategy in light of the future evolution of the AML/CFT framework.

Deloitte AML services:
  • AML/KYC Remediation Plan
  • AML/CTF Training
  • AML/CTF policy, procedure, and process design or review
  • DKYC: externalizing KYC processes
PDF - 78kb


Pascal Eber
Partner – Operations Excellence & Human Capital
Tel : +352 45145 2649

Eric Collard
Partner – Forensic & AML, Restructuring
Tel : +352 45145 4985

Simon Ramos
Partner – IM Advisory & Consulting 
Tel : +352 45145 2702

Jean-Philippe Peters
Partner – Risk Advisory
Tel : +352 45145 2276

Patrick Laurent
Partner – Technology & Innovation Leader
Tel : +352 45145 4170

Laurent Collet
Partner – Strategy Regulatory & Corporate Finance
Tel : +352 45145 2112

Bastien Collette
Director – Advisory & Consulting (AML/CTF)
Tel : +352 45145 3372

Alice Lehnert
Director – Advisory & Consulting
Tel : +352 45145 2605

Benoit Sauvage
Director – RegWatch, Strategy & Consulting
Tel : +352 45145 4220

Marijana Vuksic
Manager – Regulatory & Consulting
Tel : +352 45145 2311

Did you find this useful?