Response to FATF Regarding Regulation and Monitoring of Virtual Asset Service Providers
In October 2018, the Financial Action Task Force (FATF) amended its Recommendation to clarify how the FATF standards apply to activities or operations involving virtual assets. Recently, FATF asked for consultation comments with regards to a draft “Interpretive Note to Recommendation 15.” Explaining the need for revision, the FATF said: “Recognising the need to adequately mitigate the money laundering (ML) and terrorist financing (TF) risks associated with virtual asset activities, the FATF is setting out more detailed implementation requirements for effective regulation and supervision/monitoring of virtual asset services providers.”
As a leader in anti-money laundering (AML) and counter-terror financing (CTF) as well as cryptocurrency regulatory monitoring, CipherTrace was pleased to offer recommendations. The following is our complete response to the request for Consultation Comments on the FATF’s Draft Interpretive Note to FATF Recommendation 15.
7. With respect to preventive measures, the requirements set out in Recommendations 10 to 21 apply to VASPs, subject to the following qualifications:
(a) R.10 – The occasional transactions designated threshold above which VASPs are required to conduct CDD is USD/EUR 1 000.
CipherTrace response: This is reasonable. It should also consider time-based constraints so that an individual or organization cannot process in a day tens or hundreds of transactions at 900 EUR and not be reported.
This tracking and reporting needs to be done on a per-customer basis not a per-address or per-wallet (cryptocurrency) basis, as an individual may have tens or hundreds of addresses or wallets.
VASPs should be obligated to perform analysis and reporting on crypto-to-crypto swaps (e.g., swap Bitcoin into Ethereum or Monero) at this same level, and to have controls such as KYC on those accounts above the 1,000 EUR mark.
(b) R.16 – Countries should ensure that originating VASPs obtain and hold required and accurate originator information and required beneficiary information2 on virtual asset transfers, submit the above information to beneficiary VASPs and counterparts (if any), and make it available on request to appropriate authorities. It is not necessary for this information to be attached directly to virtual asset transfers. Countries should ensure that beneficiary VASPs obtain and hold required originator information and required and accurate beneficiary information on virtual asset transfers and make it available on request to appropriate authorities. Other requirements of R.16 (including monitoring of the availability of information, and taking freezing action and prohibiting transactions with designated persons and entities) apply on the same basis as set out in R.16.
“It is not necessary for this information to be attached directly to virtual asset transfers”
CipherTrace Response: It is reasonable that countries should ensure that originating VASPs obtain and hold required and accurate originator information. This can be done today with existing Know Your Customer (KYC) processes. VASPs should also retain beneficiary information on virtual asset transfers and make it available to appropriate authorities. There needs to be timelines established for data retention periods (1 year, 3 years, 5 years).
The complexity lies in the definition of “beneficiary information”. Today in cryptocurrencies, beneficiary information consists solely of a cryptocurrency address. There is no “real world” connection between this address and a human being or a bank account or a correspondent VASP account. These cryptocurrency addresses can be at another VASP or can be on a personally controlled computer or mobile phone, as a form of digital cash.
It is feasible to imagine a future where all addresses containing or controlling virtual currencies have a name, address and bank account number associated with them, however this is not the case now. In fact, we believe that it will never be the case, as virtual currencies are a hybrid between cash, bearer instruments, traded securities and bank assets.
To restrict VASPs to only accept or send funds to beneficiaries that have a higher degree of identity than address information will cause significant problems to the cryptocurrency economy. Consider that a large amount of funds (over $100 B) are stored in private wallets that are not controlled by VASPs. There is no identifying information other than the public cryptographic key of the address that controls these funds. Locking these out from the VASP infrastructure would mean that tens or hundreds of billions of dollars of funds would be locked out from the service provider infrastructure. This will cause unpredictable chaos and a migration of services to jurisdictions where FATF regulations and guidelines are not followed.
One can propose a system where an overlay network of beneficiary and originator data is exchanged and associated with all cryptocurrency addresses. This has an appeal in that private holders of cryptocurrencies could register their addresses with identity information and then be allowed to transact with compliant VASPs. However, the design, implementation, operation and enforcement of such an infrastructure would be highly challenging on a global basis, as well as costly. There will be significant economic, political and privacy challenges to such an approach.
Regarding beneficiary information being attached to transfers, the concept that this data does not need to be transferred along with the transaction is sound, and provides privacy protection, yet allows legal due process to access the information for investigations. This can be accomplished by VASPs storing data for defined periods of time.
The ability to discern receiving addresses for funds transfers should apply to privacy-oriented cryptocurrencies such as Monero, Dash, Zcash and MimbleWimble. These technologies need to be regulated such that the transfer in and out from VASPs requires beneficiary information or originator information to be accessible to the VASP. If this information cannot be analyzed for deeper inspection as to the true origin (in the case when an intermediate address is used to hide the true origin of the funds), then the funds should be frozen.
Cryptocurrencies such as Bitcoin, or derivative currencies such as Litecoin and Bitcoin Cash can be analyzed with blockchain analytics tools, and therefore tracking the entire transaction chain is not necessary. However, privacy-oriented cryptocurrencies, such as Monero which is designed for anonymity and includes a money-laundering currency mixing technology in the protocol, need much stronger regulation and oversight. Fortunately, Monero as a “View Key” capability which may be adapted to meet regulatory requirements with sufficient technical analysis and oversight.
Technical Detail for Including Transaction Detail in Bitcoin and Bitcoin-related Transactions:
All transactions on public blockchains will always contain the sending and receiving address, the transactions ID, and the amount. While it is technically possible to attach additional originator or beneficiary information such as names or addresses as an OP_RETURN script, which could include information similar to travel rule information like with a wire transfer, the OP_RETURN is only valid for the one transaction and must be decrypted on the receiving ends in order to read the information. Additionally, an OP_RETURN is not inherently connected to a specific output and would therefore have to be manually linked in some way to its respective output, without specifying within the OP_RETURN to which output the message corresponds, it would be difficult to write one OP_RETURN that applies to each payment beneficiary of one transaction. Any BTC sent to an OP_RETURN will be unspent and burned. OP_RETURNS are also used for the Omni Layer protocol and Tether.
“Other requirements of R.16 (including monitoring of the availability of information, and taking freezing action and prohibiting transactions with designated persons and entities) apply on the same basis as set out in R.16”
CipherTrace Response: The ability of a VASP to prohibit a cryptocurrency transaction is somewhat limited because an incoming cryptocurrency transaction cannot be rejected, whether it is wanted or not. Sending funds back to the originating cryptocurrency address is not a solution to rejecting funds, as the sending address may not be able to receive funds. In such a case, the funds could be non-recoverable, which could expose VASPs to liability and claims from customers.
A VASP can freeze cryptocurrency funds once they hit an address pertaining to that respective exchange, but the VASP cannot keep other bitcoin addresses from transferring funds into the address with frozen funds. As the holder of the private keys to all the customer wallets on its platform, a VASP can reject a request for an outgoing transaction either due to suspicious activity by the requestor or reported or known suspicious activity by the destination address.
Therefore, a VASP can freeze outgoing transactions from an address, but cannot control the incoming transactions to that same address. VASPs should be required to develop or procure analytic tools to allow them, to analyze incoming funds, freeze them, and determine the path from whence they came.
About FATF
The Financial Action Task Force was founded to address concerns about money laundering and the threat it poses to the world financial system. The inter-governmental body advises 36 member countries and two regional organizations, and is one of the most influential voices globally on combating financial crimes. The FATF’s mandate was expanded in 2001 to include efforts to combat terrorist financing (CFT). Its influence also extends beyond its member countries, as a number of regional Financial Action Task Forces around the world provide guidance to regulators in the Caribbean Latin America, the Middle East, and North Africa. Its MoneyVal associate provides guidance to countries of Europe outside the EU, including Malta.