12 Outcomes from FATF's Oct 2021 Updated Guidance for Virtual Assets and VASPs

On October 28, 2021, the Financial Action Task Force (FATF) released its first fully updated guidance for a risk-based approach for Virtual Assets and Virtual Asset Service Providers since 2019. This document updates its draft guidance released in March. Read our comments on that release here. This guidance offers recommendations on how member jurisdictions should regulate cryptocurrency businesses. 

The key theme is FATF’s focus on regulating cryptocurrency businesses as VASPs based on their function and business model, rather than their underlying technology, self-described business category, or custodial status. Below, we’ve summarized the top 12 key takeaways from the updated guidance and tell you how Notabene can help you meet your compliance obligations.

‍Click here to watch the webinar summary. Access the slides.

1. FATF states that Stablecoins could be considered higher risk due to their potential for mass adoption 

§104 

As with VAs, it is important that ML/TF risks of stablecoins, particularly those with potential for mass-adoption and that can be used for P2P transactions, are analysed in an ongoing and forward-looking manner. In developing new products, VASPs and other obliged entities should assess the ML/TF risks before bringing them to market and put in place mitigation measures before launch. 

What this means: The FATF recognizes that all VAs have a potential for widespread adoption yet denotes that stablecoin projects have a greater potential for mass adoption, which can heighten ML/TF risks. FATF recommends that stablecoin providers employ potential mitigation measures to ensure AML/CFT obligations are fulfilled. Expect more VASPs to start building compliance into new stablecoin products. 

2. FATF calls on Public-Private collaboration to create new risk-mitigation tools for P2P transactions

§105 P2P transactions

As set out in Section 2, countries should also seek to understand the ML/TF risks related to P2P transactions and how they are being used in their jurisdiction. (...) 

§106

Depending on the assessed risks associated with P2P transactions, or certain types of P2P transactions, countries may consider and implement as appropriate options to mitigate these risks at a national level. 

What this means: FATF is firming its stance on P2P transactions or transactions from VASPs to unhosted wallets.

Currently, the FATF places the AML/CTF burden on intermediaries and, for the time being, this will continue to be the case.In the second annual review of the Guidance, which took place in June 2021, the FATF decided it was not yet time for a paradigm shift because, first, the available data on the P2P market was deemed not yet not reliable enough to make an informed decision, and second, intermediaries continue to have a predominant presence in the crypto market. However, the FATF admits that the standards might need to be adapted in the future in case the industry shifts to disintermediated transactions. Furthermore, the FATF recognizes that P2P transactions could pose specific ML/TF risks, as they can potentially be used to avoid AML/CFT controls in the FATF Standards. For that reason, in the latest Guidance the FATF lists a number of measures that members can adopt to mitigate the risks associated with P2P transactions. In particular, the FATF already recognizes the possibility of restricting VASPs to only transact with other VASPs as a means to mitigate risks. 

3. Every virtual asset for payment or investment should be subject to obligations applicable either as a VA or another type of financial asset

§51

The FATF does not intend for an asset to be both a VA and a financial asset at the same time. (...)  When determining if a new digital asset should qualify as a financial asset or a VA, authorities should consider whether their existing regime governing financial assets or their regime for VAs can be appropriately applied to the new digital assets in question. 

§52

In instances where characterization proves difficult, jurisdictions should assess their regulatory systems and decide which designation will best mitigate and manage the risk of the product or service. Consistent with the technology-neutral approach, a blockchain-based asset that is defined as a financial asset would likely not fall under this VA-focused Guidance. (...) RBA. Nonetheless, every asset for payment or investment should be subject to obligations applicable either as a VA or another type of financial asset. 

What this means: FATF places the onus on jurisdictions to determine if a VA is a financial asset or a virtual asset. Jurisdictions could consider the commonly accepted asset usage (payment or investment) and what type of regulatory regime offers the best fit. What is key is that, regardless of the framework that jurisdictions decide to apply, all assets used for payment or investment purposes are subject to obligations consistent with the FATF recommendations, either as a VA or as other type of financial asset. It is also worth mentioning that the underlying technology of the asset is not a deciding factor in determining the applicable framework to the asset at issue. For example, a blockchain-based asset defined as a financial asset would likely not fall under the FATF VA-focused Guidance.
‍

4. The guidance now includes clarifications around #DeFi developers, stablecoin developers, and multi-sig custodial APIs

§64

The definition of VASP covers any service allowing users to transfer ownership, or control of a VA to another user or to transfer VAs between VA addresses or accounts held by the same user. (...) If a new party has custody or ownership of the VA, has the ability to pass control of the VA to others, or has the ability to benefit from its use, then transfer has likely occurred. This control does not necessarily have to be unilateral and multi-signature  processes are not inherently exempt (see limb (iv) below), where a VASP undertakes the activity as a business on behalf of another natural or legal person. 

§73

The term “control” should be understood as the ability to hold, trade, transfer or spend the VA. (...) The existence of a multi-signature model or models in which multiple parties must use keys for a transaction to happen does not mean a particular entity does not maintain control, depending on the extent of the influence it may have over the VAs.

§67

A DeFi application (i.e. the software program) is not a VASP under the FATF standards, as the Standards do not apply to underlying software or technology (see paragraph 82 below). However, creators, owners and operators or some other persons who maintain control or sufficient influence in the DeFi arrangements, even if those arrangements seem decentralized, may fall under the FATF definition of a VASP where they are providing or actively facilitating VASP services. For example, there may be control or sufficient influence(...) even if this is exercised through a smart contract or in some cases voting protocols. Countries may wish to consider other factors as well, such as whether any party profits from the service or has the ability to set or change parameters to identify the owner/operator of a DeFi arrangement. 

§68

While this Guidance aims to provide direction, countries will need to evaluate the facts and circumstances of each individual situation to determine whether there is an identifiable person(s), whether legal or natural, providing a covered service. Marketing terms or self-identification as a DeFi is not determinative, nor is the specific technology involved in determining if its owner or operator is a VASP. (...)Countries should be guided by the principle that the FATF intends to cover natural or legal persons who conduct the financial services covered in the definition as a business. (...) In cases where a person can purchase governance tokens of a VASP, the VASP should retain the responsibility for satisfying AML/CFT obligations. An individual token holder in such a scenario does not have such responsibility if the holder does not exercise control or sufficient influence over the VASP activities undertaken as a business on behalf of others. 

What this means: Multi-Sig Custodial APIs are not outside of the VASP scope, as they control keys/credentials held by others. Central developers of governance bodies of stablecoins are, in general, considered VASPs. For stablecoins without a readily identifiable central body, the party that develops and launches its arrangement likely carries out VASP functions and would be covered under the VASP definition. DeFi developers, owners, and operators may fall under the FATF definition of a VASP provided that they maintain control or sufficient influence in the DeFi arrangements, even if the operations seem automated and decentralized. However, DeFi governance token holders do not have VASP responsibilities, so long as they do not have control or sufficient influence over VASP activities. As DeFi projects rapidly expand in number, countries will need to evaluate the facts of each particular situation to determine how to proceed. We strongly recommend that the industry pushes a unified interpretation of the rules to national regulators. 

5. This updated guidance changes the scope of application of the Travel Rule to include unhosted wallets

§179

The requirements of Recommendation 16 apply to VASPs whenever their transactions, whether in fiat currency or VA, involve: (a) a traditional wire transfer, (b) a VA transfer between a VASP and another obliged entity (e.g., between two VASPs or between a VASP and another obliged entity, such as a bank or other FI), or (c) a VA transfer between a VASP and a non-obliged entity (i.e., an unhosted wallet). The full requirements of Recommendation 16 apply to (a) and (b) but not (c), as set out below. 

What this means: In the June 2019 Guidance (§113), VA transfers between VASP and non-obliged entities were not within the scope of TR requirements. From now on, Travel Rule requirements apply to transactions with non-obliged entities (such as unhosted wallets), but with adaptations. This means that for VASPs to apply the right process, they need to determine whether the transaction is with a VASP or with an unhosted wallet in the first place. Notabene’s fully-customizable Wallet Identification tool can help VASP determine their counterparties. 

Now, when a transaction originating from a VASP to a non-obliged entity, FATF expects VASPs to:

• Obtain the originator and beneficiary information from VASP’s customer when originating or receiving a VA transfer
• Enforce AML/CTF obligations (e.g., transaction monitoring, sanctions compliance)

FATF does not expect VASP to:

• Send required information to non-obliged entities
  ‍

6. This guidance updates the de-minimis threshold and information required for a Travel Rule transaction.

§191

Countries may choose to adopt a de minimis threshold for VA transfers of USD/EUR 1 000 in line with the FATF Standards, having regard to the risks associated with various VAs and covered VA activities. (...) For VA transfers under the threshold, countries should require that VASPs collect: 
a. the name of the originator and the beneficiary; and 
b. the VA wallet address for each or a unique transaction reference number.

§192

Such information does not need to be verified unless there are suspicious circumstances related to ML/TF, in which case information pertaining to the customer should be verified.

What this means: Many jurisdictions adopted Travel Rule requirements only for VA transfers above certain thresholds. VA transfers below the threshold VASPs should still be required to collect (but not verify, unless there is an ML/TF suspicion) the beneficiary and originator: (i) name (ii) wallet address / TX identifier. 

7. FATF provides options for risk-mitigation when interacting with unhosted wallets

§297
‍

A VASP may choose to impose additional limitations, controls, or prohibitions on transactions with unhosted wallets in line with their risk analysis. Potential measures include: 
a. enhancing existing risk-based control framework to account for specific risks posed by transactions with unhosted wallets (e.g., accounting for specific users, patterns of observed conduct, local and regional risks, and information from regulators and law enforcement); and b. studying the feasibility of accepting transactions only from/to VASPs and other obliged entities, and/or unhosted wallets that the VASP has assessed to be reliable. 

What this means: The FATF now provides options for risk mitigation, including VASPS limiting transactions to only other VASPs or whitelisted accounts only.  FATF clarifies the scope and obligations intermediaries when it comes to Travel Rule requirements

Footnote 50

To clarify, when a VASP, FI or other intermediary obliged entity facilitates a VA transfers as an intermediate element in a chain of VA transfers, and the certain activity/business has been classified as a VASP in this Guidance, then they would be classified as an “intermediary VASP”.  

§202

(...)Just as a traditional intermediary FI processing a traditional fiat cross-border wire transfer must ensure that all required originator and beneficiary information that accompanies a wire transfer is retained with it, so too must an intermediary VASP or other comparable intermediary institution that facilitates VA transfers ensure that the required information is transmitted along the chain of VA transfers, as well as maintaining necessary records and making the information available to appropriate authorities upon request. (...)Intermediary institutions involved in VA transfers also have general obligations to identify suspicious transactions, take freezing actions, and prohibit transactions with designated persons and entities—just like ordering and beneficiary VASPs (or other ordering or beneficiary obliged entities that facilitate VA transfers). 

What this means: Intermediary VASPs are entities that sit somewhere in the chain of a virtual asset transfer and facilitate the transfer from the originating VASP to the beneficiary VASP by providing a service that qualifies as a virtual asset service under the Guidance. 

According to the FATF's guidance, Intermediaries only pass information along, so they aren’t required to verify originating or beneficiary information, but they are nevertheless subject to record keeping obligations and are required to carry out sanctions screening. Since intermediaries are not required to verify originator and beneficiary information, requiring intermediaries to also screen the parties to the transaction against sanction lists is potentially not the most effective approach. Relying on the VASP that knows more about each party to perform this function is preferable.

VASP <> VASP reliance for sanction screening is a more effective solution. Industry cooperation will be essential to implementing a standard compliance flow for intermediaries. 

Criteria to qualify as an intermediary VASP:

• Facilitates a VA transfer as an intermediate element in a chain of VA transfers
• That activity qualifies as a virtual asset service under the Guidance
  

Obligations of intermediary VASPs:

• Transmit required information along the chain of VA transfers
• Record keeping
• Identify suspicious transactions
• Take freezing actions
• Prohibit transactions with designated persons or entities
  

8. A phased risk-based approach applied to business models should help VASPs get around the Sunrise issue. 

§200

The FATF expects countries to implement paragraph 7(b) of INR.15 as soon as possible. Countries may wish to take a staged approach to enforcement of travel rule requirements to ensure that their VASPs have sufficient time to implement the necessary systems, but should continue to ensure that VASPs have alternative measures in place to suitably mitigate the ML/TF risks arising from VA transfers in the interim. (...) This means that some jurisdictions will require their VASPs to comply with the travel rule prior to other jurisdictions (i.e., the ‘sunrise issue’). This can be a challenge for VASPs regarding what approach they should take in dealing with VASPs located in jurisdictions where the travel rule is not yet in force. Regardless of the lack of regulation in the beneficiary jurisdiction, originating entities can require travel rule compliance from beneficiaries by contract or business practice.

§201

(...)Regardless of the regulation in a certain country, a VASP may implement robust control measures to comply with the travel rule requirements. Examples include VASPs restricting VA transfers to within their customer base (i.e., internal transfers of VAs within the same VASP), only allowing confirmed first-party transfers outside of their customer base (i.e., the originator and the beneficiary are confirmed to be the same person) and enhanced monitoring of transactions.

What this means: In this Guidance the FATF makes it very clear that the time for compliance is now. The FATF acknowledges the need for this staged approach to compliance with the Travel Rule. But, at the same time, the FATF requires countries to enforce interim risk mitigation measures that enable tackling the ML/TF risks associated with VA transfers now. 

The sunrise period - period during which Travel Rule requirements are not in force in all jurisdictions - causes a lot of practical problems due to crypto being inherently international. VASPs in countries where Travel Rule requirements are already being enforced will have a hard time complying if they want to keep interacting with VASPs based in countries where the Travel Rule is not yet being enforced. 

But what the FATF says in the new Guidance is that this issue should not preclude VASPs from already complying with the Travel Rule. And in this context, the FATF suggests a number of measures that VASPs could implement to circumvent the sunrise issue. Most of them entail substantial limitations to the VASPs' transaction volume.

In some instances, VASPs could avoid the business impact of Travel Rule compliance through policy coordination. Although the sunrise period is the #1 hindrance to compliance with the Travel Rule, FATF claims that it should not preclude VASPs from complying and offers the following risk-mitigating measures to circumvent the effect of the sunrise issue. 

• Require counterparty to comply
• Restricting TXs to within customer base
• Allowing only first-party transactions
• Enhanced monitoring

9. FATF recognizes that conducting counterparty due diligence is a challenge. Provides guidance on how counterparty due diligence could be undertaken.

§197.

The best way to conduct counterparty due diligence in a timely and secure manner is a challenge. There are broadly three phases in this process. These are not intended as prescriptive actions that VASPs must take, but guidance on how counterparty due diligence could be undertaken: 

a. Phase 1: Determine whether the VA transfer is with a counterparty VASP. A person may wish to transfer VAs to another VASP (e.g., a beneficiary with a hosted wallet) or they may wish to transfer VAs to an unhosted wallet. The originator VASP must therefore determine whether they will be transacting with another VASP. This determination process is not purely an AML/CFT requirement, but rather arises from the technology underpinning VAs. To date, the FATF is not aware of any technically proven means of identifying the VASP that manages the beneficiary wallet exhaustively, precisely, and accurately in all circumstances and from the VA address alone; 

b. Phase 2: Identify the counterparty VASP, as a VASP only knows the “name” of the counterparty VASP following the previous phase. A VASP may identify a counterparty VASP themselves using a reliable database in line with any guidelines from a country on when to rely on such data; and 

c. Phase 3: Assess whether the counterparty VASP is an eligible counterparty to send customer data to and to have a business relationship with (see Recommendation 16 in Section IV for further information on counterparty VASP due diligence and Recommendation 11 on record-keeping to appropriately store and manage that customer data). 

§193

Countries should require both ordering and beneficiary institutions to take freezing actions and prohibit transactions with designated persons and entities (i.e., screening and required information relating to VA transfers in order to comply with their targeted financial sanctions obligations). The ordering institution should have the required information about its customer, the originator, and the beneficiary institution should have the required information about its customer, the beneficiary, in line with the CDD requirements set forth in Recommendation 10. The ordering and beneficiary institutions should have screened their customer’s name for compliance with targeted financial sanctions obligations at the time of onboarding their respective (and upon name changes). They must then screen the names of the other party (the originator or the beneficiary) when they conduct the VA transfer (see Table 1 above). 

§198

To clarify the scope of this Guidance, competent authorities should require VASPs to implement preventive measures in ‘Phase 3’ to assess the counterparty VASP, where VASPs first have a business relationship, and then review the results of the due diligence periodically. Countries should also maintain reliable, independent sources of information for ‘Phase 2’ to assist VASPs in their efforts to identify the counterparty VASP. This could include regulated institutions lists, such as VASP lists where available, registries of beneficial ownership where available and other examples mentioned in the BCBS Guideline.49 For the benefit of effective and efficient counterparty due diligence, a regulated institutions list may include but should not be limited to contains the VASP name and registered VASP address. Considering the increased usage of digitalized processes in the financial industry, countries should be encouraged to use a format that is machine-readable. A country need not impose a separate licensing or registration system for VASPs with respect to natural or legal persons already licensed or registered as FIs (as defined by the FATF Recommendations) within that country. Countries that have such frameworks may clarify to their private sector that such FIs might not be on the designated VASPs lists, or even not under the supervision of the same regulator, to avoid unnecessary de-risking. 

§194

Countries should require VASPs or other obliged entities to implement an effective control framework to ensure that they can comply with their targeted financial sanction obligations. This framework should take into account the nature of VA transfers. Because the required information identifying the originator and beneficiary can be held separately to the VA transfer system (e.g., the blockchain), the VA transfer can be completed even with such information missing or without screening the transfer to identify suspicious and prohibited transactions. Therefore, VASPs or other obliged entities should screen required VA transfer information separately to such direct settlement. Thus, VASPs may need to consider mitigation measures that fit their business process and the technical nature of VAs. Although blockchain technology is ever-changing, examples of controls that a VASP or other obliged entity could implement include: 

a. putting a wallet on hold until screening is completed and confirmed that no concern is raised; and 

b. arranging to receive a VA transfer with a provider’s wallet that links to a customer’s wallet and moving the transferred VA to their customer’s wallet only after the screening is completed and has confirmed no concern is raised. 

What this means: The first thing VASPs should ask themselves when complying with the Travel Rule in the context of a VA transfer is whether they are transacting with a counterparty VASP, as this will influence the rules that apply to the transfer. This continues to be a relevant pain point and, in the Guidance, the FATF acknowledges that today it is not always possible to determine, securely, whether a VASP is managing the wallet on the other side.

In cases where the VA transfer is with a VASP, the goal is to make sure that such counterparty VASP can be trusted before transacting. For that purpose, VASPs need to undertake appropriate due diligence and look at several aspects such as the

• robustness of the counterparty's data security framework
• whether the counterparty is complying with the travel rule
• and whether the counterparty is under supervision of relevant authorities

All of this needs to happen before transacting. 

Identifying and conducting due diligence on counterparty VASPs is the first pain point and the first stage in implementing the Travel Rule. FATF recommends the Wolfsberg questionnaire as a starting point for a potential framework in the VASP counterparty due-diligence context. 

10. FATF outlines data requirements for ordering and beneficiary VASPs in the Travel Rule

Table 1: Data requirements for ordering and beneficiary VASPs in the travel rule (pg 59)

Notabene’s Takeaway: An important component of complying with the Travel Rule is the exchange of originator and beneficiary information between VASPs. The table above, included in the Guidance, provides an excellent summary of all the data exchange requirements and their purpose.

• The ordering VASP, which in most cases has a business relationship with the VA transfer originator, is required to transmit accurate information about the originator to the Beneficiary VASP.
• In turn, the Beneficiary VASP does not need to confirm the accuracy of the originator information, but needs to run the received information against sanction lists.
• Then, in contrast, the ordering VASP needs to send the beneficiary information collected from their customer to the Beneficiary VASP but does not need to confirm the accuracy of such data. The ordering VASP should use this data to screen the beneficiary user against sanction lists.
• The Beneficiary VASP (who verifies the identity of the beneficiary of the VA transfer upon establishing a business relationship with them), is required to confirm if the received beneficiary information is consistent with their records.

It is worth noting that in the updated Guidance the FATF recognizes that, when VASPs reasonably conclude that their counterparty does not handle PII securely, they can proceed with the blockchain transfer without sending PII to their counterparty VASP, provided that:

• AML / CTF risks are acceptable and
• That the VASP adopts alternative procedures.
  
  

11. FATF recommends VASPs to take freezing actions and prohibit transactions with designated persons/entities

§193

‍Countries should require both ordering and beneficiary institutions to take freezing actions and prohibit transactions with designated persons and entities (...)  The ordering and beneficiary institutions should have screened their customer’s name for compliance with targeted financial sanctions obligations at the time of onboarding their respective (and upon name changes). They must then screen the names of the other party (the originator or the beneficiary) when they conduct the VA transfer. 

§194

(...)  Because the required information identifying the originator and beneficiary can be held separately to the VA transfer system (e.g., the blockchain), the VA transfer can be completed even with such information missing or without screening the transfer to identify suspicious and prohibited transactions. (...) Thus, VASPs may need to consider mitigation measures that fit their business process and the technical nature of VAs. 

What this means: The goal of the sanction screening obligations imposed on VASPs is to prevent transactions with designated entities and allow VASPs to take freezing actions when such transactions occurs. For these purposes, VASPs are required to screen the names of their own customers and also of the counterparty to any transactions against sanction lists. Additionally, VASPs must take measures to mitigate the risk of settling the blockchain TX before the screening is completed, such as putting a wallet on hold until screening is completed and confirming that no concern is raised.

How Notabene helps VASPs meet FATF obligations

Notabene is a reg-tech SaaS solution that turns regulatory compliance into a competitive advantage. We are working to make crypto transactions a part of the everyday economy by providing software, tools, and comprehensive data to manage regulatory and counterparty risks in crypto transactions. Companies leverage our end-to-end FATF Travel Rule solution to identify virtual asset accounts, perform mandated VASP due diligence, and manage global transactions from one dashboard. We currently process transactions between more than 50 crypto native companies. Trusted by leading exchanges, Luno, Bitso, Crypto.com, and more. If you’d like to learn more about how we can help, please contact us here.