TLDR; In FATF’s latest guidance, it broadly defines DeFi operators as VASPs that have to deal with AML/CFT obligations. On the travel rule, the big news is that FATF expands these requirements to include all financial institutions (FIs) who deal with virtual assets. FATF also clarified many outstanding questions by adding new requirements such as sanction-screening of counterparties and collection of beneficiary names, even with unhosted wallets. VASPs will need to move quickly on the travel rule or risk not receiving licenses for operation and being outcompeted by FIs entering the market today with strong compliance expertise.
On March 19th, 2021, the Financial Action Task Force (FATF) released its updated guidance on the risk-based approach for virtual assets (VAs) and virtual asset service providers (VASPs).
The original guidance was published in June 2019, placing anti-money laundering and countering the financing of terrorism (AML/CFT) obligations on VAs and VASPs. It also extended Recommendation 16 to VASPs, commonly known as the “travel rule”.
Following the publication of this revised guidance, there is a 4 week public consultation period in which private sector participants will provide feedback and commentary. Notabene will be providing input directly to FATF as part of the FATF Virtual Asset Contact Group (VACG) and indirectly through its participation in various forums like the Global Digital Finance (GDF) and the Chamber of Digital Commerce.
With this revised guidance, FATF aims to achieve two goals:
We describe below FATF's general approach as well as summarize the main takeaways. We supplement the sections with our assessment of how this may impact the crypto industry.
FATF maintains a technology neutral approach to virtual assets.
FATF states that VASPs should be regulated similarly to financial institutions (FIs) that provide functionally similar services with similar ML/TF risks. In addition, FATF requirements should apply to all VAs and VASPs regardless of the underlying technology.
“The FATF Standards are intended to be technology neutral. As such, the FATF does not seek to regulate the technology that underlies VAs or VASP activities, but rather the natural or legal persons behind such technology or software applications that facilitate financial activity or conduct as a business the aforementioned VA activities on behalf of another natural or legal person.” (Section 68, Page 26)
Our assessment: FATF would like to maintain its view on technology neutrality and that VAs are not treated differently from other financial sectors of similar risk. However, they also apply this argument within the crypto sector - with what some may consider as direct jabs at ‘decentralized’ projects who may not be completely decentralized and for all intents and purposes would be considered VASPs.
FATF provides recommendations to local regulators to treat certain aspects of VAs as higher risk.
FATF recommends that jurisdictions manage rather than avoid risk, and thus should not ban VAs completely. They should assess the risk introduced by VA activity and whether they can manage that risk. If they cannot manage it effectively, then they can take actions to limit or restrict certain activities.
“The FATF recommendations do not prejudge any sector as higher risk. … however the overall risk at a national level should be determined by individual jurisdictions through an assessment of the sector - in this case, the VASP sector.” (Section 28, Page 12)
Our assessment: FATF is giving the green light to local jurisdictions to implement stricter rules. We expect some regulators over the next year will deem certain activities such as transactions with unhosted wallets as higher risk.
VASPs are expected to "build compliance into their product".
FATF recommends that VASPs build sufficient AML/CFT controls into the design of their product before they launch it.
"Authorities may also require that appropriate AML/CFT mitigations must be built into products and services before they are brought to market, as it is much more difficult to do so later. (...) Once licensing and registration has taken place, AML/CFT mitigations which are built into products and services should be maintained and be the subject of active supervision." (Section 119, Page 43)
Our assessment: Regulators will increasingly expect products to have built-in compliance. This should not be an after-thought, and VASPs need to make compliance an integral part of their product design and development.
No financial asset should ever fall outside of FATF standards.
FATF broadens both the VA and VASP definitions. It would like to ensure that every financial asset is either a VA or a traditional financial asset.
It defines VAs as the following:
“ VAs must be digital, and must themselves be digitally traded or transferred and be capable of being used for payment or investment purposes.” (Section 38, Page 18)
This excludes digital representations of fiat currencies such as central bank issued digital currencies (CBDCs).
With regards to VASPs, FATF did not update the definition from its 2019 guidance, but instead provided more examples as to what is considered a VASP and guidelines for regulators.
Our assessment: FATF is looking to close the loop here on what is considered under its purview and who should be regulated. Previously unregulated segments of the crypto industry will find themselves under additional scrutiny.
FATF believes that in the majority of crypto protocols a VASP is involved at some stage.
In a direct jab at the decentralized community, FATF cautions regulators from buying into the “marketing terms and innovative business models”, and instead separating the function of a VASP from the underlying technologies.
The VASP definition is expanded to potentially include multisig and MPC service providers:
“Where custodians need keys held by others to carry out transactions, these custodians still have control of the asset. A user, for example, who owns a VA, but cannot send it without the participation of others in a multisignature transaction, likely still controls it for the purposes of this definition. Service providers who cannot complete transactions without a key held by another party are not disqualified from falling under the definition of a VASP, regardless of the numbers, controlling power and any other properties of the involved.” (Section 55, Page 22)
FATF’s standards do not apply to underlying software (e.g. a DApp or software program), but the owner/operator of a DApp or a person conducting business development for a DApp are considered VASPs. (Section 57, Page 23)
Likewise, in stablecoin issuance, the developers building the platform are not VASPs unless they use it to engage as a business in conducting financial activities. Persons forming the governance body could also be considered VASPs, depending on the amount of influence and control they have. (Section 72, Page 27)
Non-custodial wallet providers are excluded from being VASPs. So are network participants and service providers solely engaging in the operation of a VA network (e.g. miners and validators). (Section 69, Page 26)
A company launching a business that could fall under VASP definition and then gives up control after launching it may still qualify as a VASP.
“The FATF takes an expansive view of the definitions of VA and VASP and considers most arrangements currently in operation, even if they self-categorize as P2P platforms, may have at least some party involved at some stage of the product’s development and launch that constitutes a VASP.” (Section 75, Page 29)
“The use of an automated process such as a smart contract to carry out VASP functions does not relieve the controlling party of responsibility for VASP obligations. For purposes of determining VASP status, launching a self-propelling infrastructure to offer VASP services is the same as offering them, and similarly commissioning others to build the elements of an infrastructure, is the same as building them.” (Section 79, Page 30)
Our assessment: FATF is clearly taking a more rigid stance at projects in the crypto space who may market themselves as decentralized but in fact maintain power or control over financial activities (and are profiting from them). We expect lots of pushback from the industry here, but also projects to go one way or another: either launch fully decentralized or get regulated.
FATF leaves regulators to take a risk-based approach with regards to P2P transactions.
If a jurisdiction deems the risks associated with P2P transactions too high, then it needs to limit its exposure to them. FATF provides examples of measures it can take for VASPs who transact with unhosted wallets, including introducing reporting requirements similar to currency transaction reports (CTRs), enhanced recordkeeping and due diligence requirements, guiding VASPs in applying a risk-based approach, or even denying them licensing. (Section 91, Page 37)
Virtual Assets in non-compliant jurisdictions or with decentralized governance structures are also considered at higher risk.
Our assessment: We expect that multiple jurisdictions will take this as a green light to pass more stringent rules on unhosted wallets. We caution regulators to take the time to learn about why unhosted wallets do not pose necessarily more risk, and also recommend that the industry educate regulators so they do not take the easy way out and ban them.
Regulators are responsible for introducing a regulatory regime, but have flexibility in picking the approach.
FATF is not prescriptive, but recommends that countries do not outright ban virtual assets as that can lead to higher ML/TF risks (e.g. crypto users move to offshore exchanges). Instead, they should introduce registration and licensing regimes. Regulators can ask VASPs to introduce enhanced due diligence measures and devote more resources to AML/CFT compliance.
They should require VASPs to conduct CDD for transactions above USD/EUR 1000 and perform the travel rule. The rest of the recommendations more or less apply similarly as they do with FIs.
Our assessment: This is consistent with FATF’s general approach. Many jurisdictions who have not allocated resources as yet to regulating VAs may find it difficult over the next few years as they look to close the gap.
VASPs must now perform sanctions screening on originators and beneficiaries.
We summarize the new requirements for VASPs:
Originating VASP must:
Beneficiary VASP must:
Our assessment: Adding a sanction screening requirement is not a surprise, but in this case it could lead to many false positives. There is a lot of gray area here that can lead to a big burden on compliance teams today as they manually need to address issues that come up in transactions.
Originator VASPs must collect beneficiary names for all transactions.
It does not matter if a transaction is under the travel rule threshold (Section 167, Page 56) or going to an unhosted wallet (Section 180, Page 60). In fact, FATF calls out that the travel rule applies to transfers between a VASP and an unhosted wallet, and that unhosted wallets could be treated as higher risk.
Our assessment: We expect pushback from the industry regarding end-user privacy and treating unhosted wallets as higher risk.
Travel Rule data transfers must be immediate and secure.
They should be done at the same time (or presumably before) performing the underlying VA transaction. It does not have to be attached to the blockchain transaction itself. Batching is allowed as long as it is submitted immediately.
Our assessment: We expect the implementation to be a challenge in the sunrise period for some VASPs as they grapple with insufficient data, timely identification of counterparty VASP, and determining what travel rule solution they support.
Intermediaries have record-keeping and sanction-screening requirements.
Intermediaries only pass information along, so they aren’t required to verify originating or beneficiary customer information. However, they are required to perform record keeping and sanctions checks.
Our assessment: We expect a standard travel rule compliance flow for intermediaries to emerge in the industry in the next 6 months. Today, there have been some individual efforts, but industry cooperation will be important here to implement a standard flow across the industry.
VASPs are required to conduct counterparty VASP diligence before initiating a transfer.
A VASP should consider treating a counterparty VASP as a correspondent banking relationship and conduct thorough due diligence on the counterparty VASP. (Section 146, Page 50)
It can collect information directly from the VASP, but it must be verified. Beyond that, the VASP should assess the level of risk in the jurisdiction (e..g. AML/CFT laws of the jurisdiction, country assessment reports) as well as the counterparty VASP’s AML/CFT controls. After an initial due diligence, the VASP should periodically refresh it or have mechanisms in place to identify if a new risk emerges.
FATF recognizes due diligence is a challenge and summarizes it in a 3 phase approach:
Our assessment: Conducting thorough due diligence at scale can be a challenge. Platforms like Notabene will provide solutions to help streamline the data collection and verification, as well as facilitate the relationship between the VASPs. However, regulators will also have to provide databases of verified information about VASPs.
Sunrise period is a challenge but not an excuse.
VASPs who want to interact with counterparty VASPs in a jurisdiction where the travel rule is not yet implemented could require them to implement it.
“This can be a challenge for VASPs regarding what approach they should take in dealing with VASPs located in jurisdictions where the travel rule is not yet in force. Regardless of the lack of regulation in the beneficiary jurisdiction, originating entities can require travel rule compliance from beneficiaries by contract or business practice.“ (Section 176, Page 59)
VASPs who want to be compliant can consider taking additional robust control measures:
“Examples include VASPs restricting VA transfers to within their customer base (i.e., internal transfers of VAs within the same VASP), only allowing confirmed first-party transfers outside of their customer base (i.e., the originator and the beneficiary are confirmed to be the same person) and enhanced monitoring of transactions. The absence of relevant regulations in one country does not necessarily preclude the effectiveness of measures introduced by a VASP on its own.” (Section 177, Page 59)
Our assessment: In the latter part of 2021, many VASPs will adopt the travel rule for business reasons - mainly that their counterparty VASPs already require it.
Are you interested in learning more about how we can help you comply with the latest crypto compliance rules? Reach out to us at firstname.lastname@example.org.