FATF updates guidance on VAs and VASPs

The Financial Action Task Force (FATF), the global standard-setting body for anti-money laundering (AML) and terrorist financing (TF) has issued updated guidance on virtual assets (VAs) and virtual asset service providers (VASPS). It is worthwhile noting from the outset that VAs and VASPs are broad terms encompassing activities relating to cryptoassets and cryptoasset exchanges. 

The new guidance includes updates in the following areas:

1. definitions of VAs and VASPs
2. stablecoins and how FATF standards apply
3. risks associated with peer-to-peer crypto transfers
4. licensing and registration of VASPs
5. implementation of the “travel rule”
6. information sharing between regulators

At 111 pages, the document is quite weighty but we recommend all in the crypto space to peruse Section 2 and Section 4 of the guidance as they signal which rules are to come and their rationale. Fortunately, we summarise the salient points from the guidance below. 

Principles underlying FATF standards for crypto

The principles underlying the design and application of FATF standards concerning VAs are as follows:

Functional equivalence and objectives-based approach

The guidance supports objectives based or outcomes based implementation by global regulatory authorities, rather than imposing rigid prescriptive one-size-fits-all rules.

Technology-neutrality and future-proofing 

The requirements are flexible to apply to existing technologies as well evolving and emerging technologies. No preference is given to particular products, services, or solutions, including technological solutions that assist VASPs in complying with their AML/CTF obligations. 

Level-playing field (functional treatment)

Fundamentally similar services pose similar risks and should therefore be treated on equal footing from a regulatory perspective. An identical principle of ‘same activity, same risk, same regulation’ was advocated during the Treasury’s oral evidence session with banking leaders on the Future of Financial Services. Crypto exchanges and transfer businesses should expect to be regulated on the basis of their inherent risk rather than marketing terminology, technology or business model. 

Risks associated with crypto

All VAs and VASPs are obliged to carry out a business wide risk assessment of their exposure to money laundering and terrorist financing (ML/TF). They should adopt a risk-based approach (RBA) which means that they should target their resources and controls where they will be most effective. As under the Money Laundering Regulations 2017, the risk assessment should assess services, products, transactions involved, customer risk, geographical risk and types of VA exchanged.

The FATF does not support the wholesale and indiscriminate termination or restriction of crypto business relationships. Financial institutions should manage risk, rather than simply avoid it altogether. We have seen similar calls in the UK payments industry whereby ‘de-risking’ has been criticised - banks offboarding firms that compete with their foreign exchange and remittance services, citing money laundering concerns as their justification. 

VAs and VASPs, depending on particular facts and circumstances concerning any individual case, can pose a higher risk of ML/TF due to their capacity for mass adoption, enablement of non-face-to-face business relationships, global reach and near instantaneous transfer of value. Moreover, they can facilitate anonymous or pseudonymous transactions, another high-risk factor for ML/TF.

For stablecoins, or VAs that have a value that is ‘pegged’ to the price of fiat currency, relevant considerations include whether they are centralised or decentralised i.e. whether they allow unhosted wallets or not and whether the system is permissioned or permissionless. 

Peer-to-peer (P2P) transactions are of particular concern and interest to the FATF since these transactions can be conducted without any involvement of an obliged entity. Firms should therefore be wary of the transfer chains of crypto to their platforms. If they come from unhosted private wallets where no KYC was applied, this increases the ML/TF risk. 

Risk factors for VAs

The FATF sets out 7 key risk factors relevant to VAs and should be considered by firms when conducting or engaging with crypto business. These are: 

1. Value: The number and value of VA transfers; the value and price volatility of the VA issued; the market capitalisation of the VA; the value in circulation; the number of jurisdictions of users and the number of users in each jurisdiction; the market share in payments for a VA in each jurisdiction; and the extent to which the VA is used for cross-border payments and remittances;
2. Interconnectedness: VAs can be exchanged with or for fiat currency or for other VAs. They are also often connected to VA-based platforms and services.
3. Degree of openness: The nature and scope of the VA payment channel or system - open versus closed-loop systems; systems intended to facilitate micro-payments or government-to-person/person-to-government payments
4. Extent of illicit activity: The number and value of VA transfers and those relating to illicit activities (e.g., darknet marketplaces, ransomware and hacking) including those between unobliged entities like unhosted P2P transactions, which are not covered by the standards
5. Anonymity: The use of anonymizing techniques for VA transfers such as Anonymity Enhancing Coins, mixing and tumbling services, the clustering of wallet addresses and privacy wallets. In addition, exposure to IP anonymisers such TOR browser can obfuscate transactions or impede VASPs from being able to implement effective anti-money laundering and countering terrorist financing (AML/CTF)
6. Size and Control: The size of the business, the existing customer-base, the stakeholders, and the significance of the cross-border activities of the issuer and/or the central entity governing the arrangement (where this exists).

Risk factors for VASPs

The following risk factors should be considered in relation to VASPs:

1. Number in a jurisdiction: The number and types of VASPs that are based in a jurisdiction and/or offering services to persons based in a jurisdiction and the number. The amount of transactions relating to each service.
2. Strength of VASPs AML/CTF controls: The sophistication of a VASP's AML/CTF program, including the existence or absence of appropriate oversight tools to monitor VA and/or VASP activities. Whether there is appropriate knowledge and expertise of senior management.
3. Nature of the account: The nature and scope of the VA account, product or service. For example, small value savings and storage accounts that primarily enable financially-excluded persons to store limited value may present a lower risk than high-value investments. This includes transaction or account balance limits. 
4. Implementation of the ‘travel rule’: Whether the VASP implements the ‘travel rule' (collecting and sending of originator/beneficiary information) or not and how effectively it has mitigated the 'sunrise issue' which is where some jurisdictions will have implemented the travel rule before others.
5. Involvement of unregulated entities: Transactions from / to non-obliged entities (e.g., unhosted wallets with no obliged entity, VASPs in jurisdictions where they are not subject to regulation and supervision, etc.) and transactions where at an earlier stage P2P transactions have occurred.
6. Types of VAs on offer: specific types of VAs that the VASP offers or plans to offer and any unique features of each VA, including where the VAs are anonymity enhancing.

Mitigating Crypto Risk

Potential mitigation measures crypto firms should consider include:

• limiting the scope of users' ability to transact anonymously
• controlling who can access the arrangement
• applying risk-based KYC controls, including Enhanced Due Diligence (EDD) as appropriate
• using software to monitor transactions and detect suspicious activity. 
• applying CDD above VA transactions of £1,000
• Monitoring transactions including identifying changes to the customer profile (e.g., the customer's behaviour, use of products, and the amounts involved)
• ensuring compliance with the ‘travel rule’ - described in more detail below
• When applying EDD:

• corroborating the identity information received from the customer, such as a national identity number, with information in third-party databases or other reliable sources
• tracing the customer's IP address
• using blockchain analytics 
• searching the Internet for corroborating activity information consistent with the customer's transaction profile
• obtaining additional information on the customer and intended nature of the business relationship
• obtaining information on the reasons for intended or performed transactions
• enhanced monitoring of the relationship and transactions
• Obtaining information on:

• the purpose of transaction or payment;
• parties to the transaction and the relationship between parties
• sources of wealth and/or funds
• identity and the beneficial ownership of the counterparty
• export control information, such as copies of export-control or other licenses issued by the national export control authorities, and end-user certification.

Definitions of VAs and VASPs

The FATF Glossary defines a "Virtual asset" as :

a digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes. Virtual assets do not include digital representations of fiat currencies, securities, and other financial assets that are already covered elsewhere in the FATF Recommendations

A "Virtual asset service provider" is:

 any natural or legal person who is not covered elsewhere under the Recommendations and as a business conducts one or more of the following activities or operations for or on behalf of another natural or legal person:

i.    Exchange between virtual assets and fiat currencies;

ii.    Exchange between one or more forms of virtual assets;

iii.    Transfer of virtual assets; and

iv.    Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets;

v.     Participation in and provision of financial services related to an issuer's offer and/or sale of a virtual asset.

The purpose of adding the new definitions of VA and VASP to the FATF Glossary was to broaden the applicability of the FATF Standards to encompass new types of digital assets and providers of certain services in those assets.

The FATF asserts that no financial asset should be interpreted as falling entirely outside the FATF Standards and that financial assets should not be deemed as uncovered simply due to the format in which they are offered. 

A closer look at the definition of a virtual asset

VAs must be digital and must themselves be digitally traded or transferred and capable of being used for payment or investment purposes. Activities captured include the issuance of an asset (think ICOs), exchanging it, transferring it to or on behalf of someone else, changing its ownership, or destroying it.

The key question in determining whether a crypto is a VA or not is whether it has inherent value to be traded or transferred and used for payment or investment.

Digital representations of fiat currencies are already captured by FATF Standards, which in the context of the UK fall within the definition of e-money under the Electronic Money Regulations 2011. 

NFTs are not virtual assets

Non-fungible tokens (NFTs) are unique in that they are digital assets that in practise are used as collectibles rather than as payment or investment instruments. The FATF confirmed that NFTs are generally not considered to be VAs but if they are used for payment or  investment purposes, then they will be covered by the definition. 

Stablecoins are virtual assets

A stablecoin can either be a VA or a security, depending on its exact nature. In the UK, stablecoins are being investigated by the Treasury. 

Zooming in on VASPs

Despite the many and frequently changing marketing terms and innovative business models developed in the crypto sector, the FATF envisions very few VA arrangements without VASPs involved at some stage. The obligations in the FATF Standards stem from the underlying services offered without regard to operational model, technological tools, ledger design, or any other operating feature.

Firms carrying out crypto-related functions on a very infrequent basis do not meet the criterion of ‘as a business’ under the FATF definition. It is also worth noting that firms that trade solely for themselves would not be considered as VASPs. 

In the UK, we have the concept of ‘by way of business’, which is very similar. The UK’s regime goes further than FATF as its definition of facilitative activities and includes arranging or making arrangements with a view to the exchange, transfer or safekeeping of cryptoassets. This can capture ‘introducer-only’ arrangements as no introducer exclusion is available like under Article 33 of the Financial Services and Markets Act 2000 (FSMA) within the Money Laundering Regulations 2017 (MLRs) as amended. 

Only entities falling short of exchange, transfer, safekeeping, administration, control, and the provision of financial services associated with issuance will generally not be a VASP.

Automating a process designed to provide VASP services for a business does not relieve the controlling party of obligations. Smart contract arrangements, therefore, can also be in-scope. 

Key questions to answer in determining whether your firm is a VASP are as follows:

• Who profits from the use of the service or asset?
• Who established and can change the rules?
•  Who can make decisions affecting operations?
• Who generated and drove the creation and launch of a product or service?
• Who maintains an ongoing business relationship with a contracting party or another person who possesses and controls the data on its operations?
• Who could shut down the product or service?

More often than not, the identity of ‘who’ in these questions is likely to be a VASP. 

We’ll now turn to some specific arrangements. 

DApps and DeFi operators can be VASPs

A "decentralized or distributed application (DApp)" refers to a software program that operates on a blockchain or similar technology. 

Sometimes, DApps facilitate or support other protocols, applications, or digital assets and their transfer. Whilst they run on decentralised ledgers, there is often still a central party involved with a significant degree of control and influence over its development. 

Such parties may create and launch VAs or offer financial services, known as decentralised finance (DeFi). 

DeFi applications, however, in and of themselves are not VASPs. They are just the underlying software. The applications’ owners, operators or parties who maintain control or influence over them may, however, could be VASPs under the FATF standards. 

Custodians and administrators are also VASPs

Any service that includes holding a VA or its private keys on behalf of another is considered ‘safekeeping’, making the relevant provider a VASP. 

Any service whereby a firm manages VAs for or on behalf of another person is considered ‘administration’, which would make the administrator a VASP.

Multi-signature models can also involve VASPs depending on the degree of influence over the VA a relevant party has. These are models in which multiple parties must use keys for a transaction to happen.

Stablecoin providers

There are a range of entities involved in any stablecoin arrangement that may be VASPs. Stablecoins may have a central developer or governance body. A governance body consists of parties who establish or participate in the establishment of the rules governing the stablecoin arrangement.

The body may determine the functions of the stablecoin, who can access it, and the extent of AML controls. They may also manage or delete the stabilization function or delegate it to other entities. 

Where such a central body exists in a stablecoin arrangement, it will, in general, be a VASP.

The Travel Rule

The Travel Rule was developed with the objective of preventing terrorists and other criminals from having unfettered access to electronically-facilitated funds transfers for moving their funds and for detecting such misuse when it occurs.

The new rule requires VA transfers, which are functionally analogous to wire transfers, to obtain and send the following data:

Record-keeping requirements

VASPs engaging in VA activities should maintain transaction records on transactions and information obtained through CDD measures, including: 

• Identifying information on relevant parties
• public keys (or equivalent identifiers)
• addresses or accounts involved (or equivalent identifiers)
• Amount transferred
• Nature and date of transaction
• public information on the blockchain or other relevant distributed ledger (however, reliance solely on the blockchain underlying the VA for recordkeeping is not sufficient)

Recommended further reading:

• July 2018 FATF report to G-20 Finance Ministers and Central Bank Governors
• February 2019 FATF public statement on mitigating risks from virtual assets
• April 2019 FATF report to G-20 Finance Ministers and Central Bank Governors
• October 2019 FATF Statement on money laundering risks from “stablecoins" and other emerging assets
• June 2020 12-month review of the revised FATF Standards on virtual assets/VASPs
• June 2020 FATF report to the G20 Finance Ministers and Central Bank Governors on so-called stablecoins
• September 2020 FATF report on virtual assets red flag indicators of ML/TF
• July 2021 second 12- month review of the revised FATF Standards on virtual assets/VASPs.
• FATF Guidance on Digital ID.

What next?

Perhaps you are seeking to become registered in the UK as a cryptoasset business.

Or maybe you are a cross-border crypto firm trying to understand what your obligations are and want to make sure you are meeting best practises.

In any case, our team has the expertise to steer you in the right direction. Just contact us today and a member of our team will be in touch.