Analysis: Proposed FATF Guidance for Virtual Assets and VASPs
On March 19, 2021, global anti-money laundering watchdog the Financial Action Task Force (FATF) released a public consultation for its updated Draft Guidance on a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers. Key changes in the draft guidance include:
- DEXs and crypto escrow services are considered Virtual Asset Service Providers (VASPs)
- Stablecoins are virtual asset (VAs) and FATF Standards apply to them
- Only NFTs that can facilitate money laundering (ML) and terrorism financing (TF) are VAs
- VASPs should assess and mitigate proliferation financing (PF) risks
- Best practices for counterparty What is a Virtual Asset Service Provider (VASP)? A Virtual A... More due diligence
- Options for mitigating peer-to-peer transaction risks
- New Travel Rule clarifications and guidance
FATF clarifies the definitions of Virtual Assets and Virtual Asset Service Providers
- The FATF does not consider central bank digital currencies (CBDCs) as virtual assets, and instead applies standards similar to any other form of fiat currency issued by a central bank.
- Decentralized exchanges, platforms or apps are not considered VASPs.
- A decentralized or distributed application (DApp), is not a VASP under the FATF standards—the Standards do not apply to underlying software or technology—but entities involved with the DApp such as owners or operators may be VASPs under the FATF definition.
- VA escrow services, including services involving smart contract technology, brokerage services, order-book exchange services, advanced trading services, and custody providers are all VASPs.
- Some non-fungible tokens (NFTs) that may not initially appear to constitute VAs may in fact be VAs due to secondary markets that enable the transfer or exchange of value or facilitate money laundering, terrorist financing, and proliferation financing.
- Assets should not be deemed uncovered by the FATF Recommendations because of the format in which they are offered and no asset should be interpreted as falling entirely outside the FATF Standards.
Proliferation Financing (PF) Risks
- In addition to money laundering and terrorism financing (ML/TF) risks, VASPs should begin to assess and mitigate proliferation financing (PF) risks.
- The FATF is currently developing separate guidance to clarify these requirements.
FATF standards apply to “so-called stablecoins”
- The FATF recommends countries analyze and mitigate the ML/TF risks of before they are launched—especially if the Stablecoins maybe privately issued cryptocurrency or algorit... More is to be used for P2P transactions.
- Risk mitigation could include “limiting the scope of customers’ ability to transact anonymously and/or by ensuring that AML/CFT obligations of obliged entities within the arrangement are fulfilled, e.g. by using software to monitor transactions and detect suspicious activity.”
Risk mitigation options for peer-to-peer transactions
- Transactions to/from non-obliged entities (e.g. unhosted wallets) and transactions where at an earlier stage P2P transactions have occurred should be considered higher-risk.
- The FATF recommends some of the following as possible P2P risk mitigation tactics in high-risk jurisdictions:
- implementation of the VA equivalent of CTRs
- denying licensing of VASPs if they allow transactions to/from non-obliged entities (i.e., private/unhosted wallets)
- enhanced recordkeeping requirements and Enhanced Due Diligence is a KYC process of carrying out furt... More (Enhanced Due Diligence is a KYC process of carrying out furt... More) requirements
- ongoing enhanced supervision of VASPs
- issuing public guidance and advisories to raise awareness of risks posed by P2P transactions
Specific guidance on the implementation of the “travel rule”
- VASPs that have not implemented the “Travel Rule” should be considered higher-risk.
- A VASP needs to undertake counterparty VASP due diligence before they transmit the required information.
- Regardless of the lack of regulation in the beneficiary jurisdiction (sunrise issue), originating VASPs can require travel rule compliance from beneficiaries by contract or business practice. In general, those business decisions are made by each individual VASP based on their risk-based analysis.
- Originators and beneficiary VASPs should screen transactions to confirm that the counterparty is not a sanctioned name.
- The submission of originator and beneficiary information in batches is acceptable, as long as submission occurs immediately and securely as per the FATF Standards. Post facto submission of the required information should not be permitted (i.e., submission must occur before or when the VA transfer is conducted)
- Where there is not an originator or beneficiary institution (transactions to and from unhosted wallets), the VASP must still collect the required information with respect to their customer. Countries should also consider requiring VASPs to treat such VA transfers as higher risk transactions that require enhanced scrutiny and limitations.
Best practices for VASP Counterparty Due Diligence
- When implementing the Travel Rule, it is important to conduct VASP counterparty due diligence. In order to conduct counterparty due diligence in a timely and secure manner, the FATF recommends a three-phase approach:
- Phase 1: Determine whether the VA transfer is with a counterparty VASP or to an In their Interpretive Letter #1172, the Office of the Comptr... More or other service.
- Phase 2: Identify the counterparty VASP.
- Phase 3: Assess if the counterparty VASP is an eligible counterparty to send customer data to and to have a business relationship with.
- A blockchain—the technology underlying bitcoin and other c... More analytics can be used to assess the VASP and identify discrepancies.
- Complete counterparty VASP due diligence before first transaction with VASP.
- Result of counterparty VASP due diligence should be reviewed periodically.
Updated guidance on the licensing and registration of VASPs
- The FATF standards allow jurisdictions flexibility in applying licensing or registration to VASPs.
- At a minimum, VASPs should be required to be licensed or registered in the jurisdiction(s) where they are created.
- Jurisdictions may also require VASPs that offer products and/or services to customers in their jurisdiction to be licensed or registered in the jurisdiction.
- National authorities should have mechanisms to monitor the VASP sector and identify natural or legal persons that carry out VA activities or operations without the requisite license or registration.
Principles of Information-Sharing and Co-operation Amongst VASP Supervisors
- Cross-border information sharing by authorities and the private sector with their international counterparts is critical in the VASP sector due to the cross-border nature and multi-jurisdictional reach of VAs and VASPs. The FATF has developed a list of Principles of Information Sharing and Co-operation between VASP Supervisors under their new guidance. The full list covers identifying Supervisors and VASPs, and best practices for information exchange and co-operation between jurisdictions.
- Each country must designate at least one competent authority as their supervisor of VASPs for AML/CFT purposes, and the competent authority cannot be a self-regulatory body.
- Countries must clearly identify their Supervisor(s) of VASPs for AML/CFT purposes.
- If a VASP operates across multiple jurisdictions, a primary Supervisor could be identified if the VASP has significant proportion of its business operations in that jurisdiction.
FATF seeks comments from the private sector
Before finalizing the new Guidance, the FATF is seeking comments from private sector stakeholders by April 20, 2021 on the following areas:
- Does the revised Guidance on the definition of VASP (paragraphs 47-79) provide more clarity on which businesses are undertaking VASP activities and are subject to the FATF Standards?
- What are the most effective ways to mitigate the money laundering and terrorist financing (ML/TF) risks relating to peer-to-peer transactions (i.e., VA transfers conducted without the use or involvement of a VASP or other obliged entity, such as VA transfers between two unhosted wallets) (see paragraphs 34-35 and 91-93)?
- Does the revised Guidance in relation to the travel rule need further clarity (paragraphs 152-180 and 256-267)?
- Does the revised Guidance provide clear instruction on how FATF Standards apply to so-called stablecoins and related entities (see Boxes 1 and 4 and paragraphs 72-73, 122 and 224)?
- Are there any further comments and specific proposals to make the revised Guidance more useful to promote the effective implementation of FATF Standards?
The draft guidance can be found here: https://www.fatf-gafi.org/publications/fatfrecommendations/documents/public-consultation-guidance-vasp.html