FATFs Virtual Assets and Virtual Asset Service Providers: Latest Guidance

FATF’s latest guidance was a reminder to the VA, VASP, Ce/DeFi, and crypto communities that AML/CFT, KYC, TM, and payment transparency (aka “The Travel Rule”) are just as applicable to them as they are to traditional compliance professionals (TCPs). But what should TCPs watch out for?

On March 19, FATF published its much-awaited Draft Guidance on a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers. This draft guidance has implications beyond VAs and VASPs, most of whom are clients of traditional banks. The draft guidance should be read and assimilated by firms or anyone working in the cryptocurrencies and virtual assets space, as well as compliance officers who support traditional banks, markets, and other sectors.

What’s in the Draft Guidance?

Here is a summary of some of the key elements within the draft guidance. In short, it:

• Offers additional clarification and guidance on compliance with payment transparency (aka the Travel Rule/Wire Transfer Rule) and record-keeping obligations.
• Provides a helpful table on the “Data requirements for ordering and beneficiary VASPs” and obtaining originator and beneficiary information.
• Reminds VASPs who have not implemented “Travel Rule” controls that AML/CFT, licensing/registration, record-keeping, sanctions, and TM requirements, etc., are applicable and should form part of their financial crime risk ecosystem.
• Confirms that CBDCs and certain DApps are not considered VAs, but “so-called stablecoins” are, making these coins subject to FATF standards and ML/TF rules and requirements.
• Confirms that escrow services and other activities supporting crypto (e.g., smart contracts or firms outsourcing certain activities, such as custodian wallets, or using digital exchanges) should consider if they are VASPs, and, therefore, must comply with requirements.
• Promotes the need to undertake periodic reviews on counterparty VASPs. This suggests a need for a “VASP certificate” and for using traditional good practices when conducting due diligence, KYC or transaction monitoring.
• Suggests options for mitigating Peer-to-Peer transactions and sunrise risks.
• Acknowledges:
  • the volumes and growing acceptability of trading or using virtual assets when dealing or trading in swaps, securities, FX, futures/forwards, commodities or derivatives-related activity. 
  • the role of “Trading Platforms.”  (NB: Hong Kong’s SFC published a helpful paper.)
• Recognizes work by key regulators (e.g., CFTC, FinCEN, SEC, etc.) in regulating licensed firms and traders, retail foreign exchange dealers or introducing brokers.
• Recognizes the: 
  • global and cross-border nature of VASPs and virtual assets. This requires regulators to coordinate their approach to avoid maturity, sunrise issues and regulatory arbitrage.
  • need to clarify information and data-sharing obligations and best practices.
• Recognizes the need to understand the different types of tokens — including non-transferable (NT), non-exchangeable and non-fungible (NFT) tokens — and how different tokens might be used to aid fraud, ML/TF, or proliferation crimes.
• Reinforces the reminder that VASPs should assess and mitigate the risks associated with TBML or proliferation financing risks.

What Impact does FATFs Guidance on Virtual Assets Have on Compliance?

Although there is no immediate impact to compliance, FATF’s guidance, plus the accompanying “Call for Evidence,” demonstrates the future direction of AML, CFT, sanctions and payment transparency for the traditional and ever-expanding gatekeeper family. Read in conjunction with preceding FATF guidance, plus publications from global regulators, it highlights the ramifications and opportunities for compliance professionals whose firms or customers deal with cryptocurrencies or virtual assets.

Three Things To Watch Out For

Assuming the “Call for Evidence” yields minimal changes to the draft guidance, there are three areas that traditional financial institutions and their compliance professionals should watch out for, generally and when conducting KYC. These include clients of firms or entities (i.e., owners or operators) involved with:

DApps (Decentralized or Distributed Applications)

Why? Decentralized apps, products, and services might be classified as VASPs under local jurisdictions, which require the registering and licensing of secondary services.

NFTs (Non-Fungible Tokens)

Why? Increasingly firms are using NFTs to raise money/equity. Increasingly since COVID-19, firms are producing, offering, or trading (their own) NFTs. Although initially NFTs fall outside the definition, they may be considered VAs, especially in the UK and EU, due to secondary markets or local trading, prospectus, or marketing (of stock, shares, or securities) obligations. Also, if the NFTs enable the transfer or exchange of value, traditional FATF obligations to prevent ML/TF or proliferation financing might form part of buyer/investor KYC and reporting requirements.

VA Escrow Services and Unhosted Wallets

Why? FATF describes unhosted wallets as digital wallets held by a non-VASP,  non-obliged entity, or person. Based on the draft guidance plus EU, UK, and US publications, escrow and unhosted wallets services could be considered equivalent as “relevant” crypto or virtual assets services providers (CASPs under the EU’s MiCA). Here, relevant services extend beyond the already captured pay ~ receive (between two obliged entities) and might include services involving blockchain-based smart contracts, brokerage, order-book exchange services, technologically advanced trading services, plus providers of custodian services, which will include hosting digital wallets, anonymous or otherwise. FATF suggests transfers to unhosted wallets are considered ‘higher risk transactions’, requiring suitable equivalent controls.

Escrow firms (which might include one-person law, estate agency or accountancy practices) may be classified as VASPs under FATF’s wider definition or under their local jurisdictional definitions, which require licensing,  registration, the reporting of transactions, transparency of beneficiary or originator details in line with the Travel Rule (R.16), or other payment or currency control obligations. Remember, draft guidance aside, firms might consider treating any transactions missing beneficiary or originator details as high, or at least heightened, risks and consider any CFT/STR or SARs obligations.

Anything Else?

Regardless of the sector or industry that compliance professionals support, the draft guidance is a timely reminder of the need for policies and procedures on VAs and VASPs. Without waiting for the final guidance key regulatory compliance policies, procedures, and risk taxonomies should be reviewed to ensure they are up to date and relevant. Like the draft guidance’s title suggests, policies should augment and complement a firm’s existing risk-based approach. Policies that complement the managing of traditional financial and non-financial risks — including ML/TF, markets, KYC, payments transparency, reporting, sanctions and transaction monitoring, and the use of data and technology — should take priority.   

Additionally, compliance professionals should read the draft guidance and, if able, contribute to the “Call for Evidence.” Armed with this information, traditional compliance professionals can plan their own future and add value to the risk debate.