In an on-going effort to set international standards that aim to prevent illegal activities, the Financial Action Task Force (FATF) released a public consultation on 19 March 2021 for its latest Draft Guidance on a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers. This draft is an update of the FATF’s March 2019 guidance, which placed anti-money laundering and financing of terrorism obligations on virtual assets (VAs) and virtual asset service providers (VASPs).
As the industry has evolved — and continues to evolve — since then, the latest draft guidance provides updates in six main regulatory areas, as well as clarifications on specific terms and how aspects of the guidance should be interpreted. As we review the updates and proposals, it is prudent to keep in mind the FATF’s goals:
The document highlights and provides updated guidance in predominantly six regulatory areas, which include:
1) Clarity on the definitions of VA and VASP: The FATF makes clear in the draft guidance that the definitions of VA and VASP are inclusive and wide-ranging. In other words, there should not be a relevant financial asset that is not covered by The FATF Standards. Amongst this, the following are considered to be VAs and VASPs:
2) Stablecoins in relation to the FATF Standards: As stablecoins are coming to the fore, the draft guideline states that stablecoins are virtual assets and FATF Standards apply to these instruments. However, government-issued Central Bank Digital Currencies (CBDCs) are not considered VAs and, therefore, FATF Standards do not apply.
3) Peer-to-peer (P2P) transaction risks and potential risk mitigants: While P2P transactions are not explicitly subject to the FATF’s AML/CFT obligations, the FATF recognizes that P2P transactions may “heighten ML/TF risk†and may be used to avoid AML/CFT controls imposed upon VASPs or other obligated entities. As P2P transfers gain mainstream traction, this may lead to systemic ML/TF vulnerabilities.
4) Updated guidance on the licensing and registration of VASPs: While there is some flexibility for jurisdictions when it comes to VASP licensing and registration, VASPs should be required to be licensed or registered in the jurisdiction where they’re created at a minimum. Countries may also require VASPs that are offering products and services to users in their jurisdiction to be licensed or registered. Country regulators and authorities should have mechanisms in place to monitor VASPs in their jurisdictions and identify individuals who carry out VA activities and operations without proper licensing and registration.
5) Additional guidance for the public and private sectors on ‘Travel Rule’ implementation: The FATF has indicated that VASPs are considered high risk if they have not yet implemented the “Travel Rule†— and need to undertake counterparty VASP due diligence before they transmit the required information. Should the beneficiary jurisdiction lack regulation, originating VASPs may require ‘Travel Rule’ compliance from beneficiaries by contract or business practice based on the VASP’s individual risk analysis.
In the case of P2P transactions, where there is not an originator or beneficiary institution, the beneficiary VASP must still collect the required information with respect to their customer and jurisdictions should consider requiring VASPs to treat such VA transfers as higher-risk transactions that require enhanced scrutiny.
6) Principles of information sharing and co-operation amongst VASP Supervisors: Due to the cross-border nature of VAs and VASPs, information sharing by international authorities and the private sector is critical. Under the new guidance, the FATF has developed a list of Principles of Information Sharing and Co-operation between VASP Supervisors, which covers identifying Supervisors and VASPs and best practices for information exchange and co-operation between jurisdictions. This includes:
A number of jurisdictions are using or exploring the use of blockchain analytics tools like Merkle Science’s Blockchain Monitor to assist with their supervision in a number of ways — from assessments of individual firms to categorizing the highest risk firms based on their activities. (See paragraph 209)
The FATF also proposed several new ideas, no doubt as a result of the recent surge in interest and market entry into the cryptocurrency sector. These include:
It is important to note that the FATF places the onus of P2P transaction risk identification and mitigation on VASPs and countries. VASPs should consider — starting from the design or development phase — whether any virtual assets or future products will enable P2P transactions, which may include unhosted wallet transfers. If so, VASPs should also consider how to mitigate ML/TF risks. In turn, countries should consider how the ML/TF risks of P2P transactions may be mitigated through, for example, Merkle Science’s blockchain analytics tools. Our coverage of P2P exchanges, along with our behavior-based rules, can help VASPs detect untagged P2P wallets as well. (See paragraph 35).
In addition to the latest proposals mentioned above, VASPs have been taking advantage of our highly-customizable Blockchain Monitor and Merkle Science Investigator tools in areas such as:
The FATF is currently seeking feedback from the private sector — particularly representatives from the VA and VASP communities, technology developers and providers, other regulated entities such as banks, and authorities — before it finalizes its updated guidance in June 2021. Merkle Science will be submitting suggestions to Global Digital Finance and CryptoUK — two leading associations advocating for the best practices and highest standards of conduct when it comes to virtual assets.
Should this be of interest, feedback may be sent to FATF.Publicconsultation@fatf-gafi.org with the subject line “Comments of [author] on the draft revised VASP Guidance†by 20 April 2021 (18:00 UTC).
Respondents must indicate the following in their emails*:
*The contact information respondents provide will be used for the purpose of this public consultation only and won’t be shared with third parties without the respondent’s consent.