The Financial Action Task Force (FATF), an international body that sets standards for anti-money laundering and counter-terrorism financing (AML/CTF), has published its updated ‘Draft Guidance on a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers’ (Draft Guidance) for public consultation.
Key changes to the Draft Guidance, published on 19 March 2021, include:
- decentralised Exchanges (DEXs), certain decentralised application owners and operators, crypto escrow services and certain non-fungible tokens (NFTs) are considered virtual asset service providers (VASPs);
- stablecoins are virtual assets and will be subject to the FATF Standards, however, central bank digital currencies are not considered to be virtual assets;
- an obligation on VASPs to assess and mitigate proliferation financing risks. FATF is currently developing separate guidance to clarify these requirements;
- the introduction of best practice guidelines for VASP counterparty due diligence;
- additional guidance for the public and private sectors on the implementation of the ‘travel rule’ (Travel Rule); and
- additional guidance on mitigating peer-to-peer (P2P) transfer risks, such as unhosted wallets.
We will explore some of these key changes further below.
Separate to the public consultation, FATF is also presently undertaking its second 12-month review of the ‘Revised FATF Standards on Virtual Assets and Virtual Asset Service Providers’, which will be published in June this year. Relevant issues highlighted during the public consultation may be considered during the review.
In 2012, member countries adopted FATF’s ‘International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation’ (Standards).
The Standards are part of an AML/CTF initiative. Recommendation 16 of the Standards (the ‘Travel Rule’) imposes obligations on ‘wire transfer’ transactions. The rule requires member countries to ensure their financial institutions obtain and share originator (sender) and beneficiary (recipient) information during the transfer, and to take appropriate measures (including freezing orders) where information is lacking.
It was only in 2019 that FATF amended Recommendation 16 of the Standards so that it applies to the transfer of virtual assets. Following the changes, member countries’ VASPs, financial institutions and other obliged entities are now required (subject to implementation within relevant jurisdictions) to share beneficiary and originator information with counterparties during transmittals of virtual assets over the value of USD $1,000.
The terms ‘virtual asset’ is defined in the Standards as a digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes. Virtual assets do not include digital representations of fiat currencies, securities and other financial assets that are already covered elsewhere in the FATF Recommendations.
Under the Standards, ‘virtual asset service provider’ means any natural or legal person who is not covered elsewhere under the Recommendations, and as a business conducts one or more of the following activities or operations for or on behalf of another natural or legal person:
- exchange between virtual assets and fiat currencies;
- exchange between one or more forms of virtual assets;
- transfer of virtual assets;
- safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and
- participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.
Current state of play
Member countries have had difficulty implementing the Travel Rule with respect to the transfer of virtual assets. A key concern is that implementation of such regulations are extremely region-specific, leading to the ‘sunrise problem’, where some countries, particularly those with less stringent AML/CTF requirements, are slow to implement measures to comply with the Travel Rule, which has ultimately slowed global compliance.
FATF has also noted that while the regulation of VASPs and their implementation of AML/CTF compliance measures are still nascent, there is ‘evidence of progress’ in the work that technical solution providers (TSPs) have done to build compliant products. FATF notes there is not, however, technical solution(s) that enable VASPs to comply with all aspects of the Travel Rule in a ‘holistic, instantaneous and secure manner’.
FATF states that any technology or software solution is acceptable, so long as it enables the ordering and beneficiary institution (where present in the transaction) to comply with its AML/CTF obligations. However, FATF has stated that it is technology-neutral and does not prescribe a particular technology or software approach that providers should deploy to comply with the Travel Rule. FATF has acknowledged the crypto market’s desire for more than one technical Travel Rule solution and as such, has prioritised the importance of common standards that would help establish interoperability between these solutions.
The following are a few of the leading TSPs currently offering solutions for compliance with the Travel Rule:
- Syna Bridge allows VASPs to share personally identifiable information with each other through an encrypted ‘privacy-secure tunnel’ using a centralised API. Syna Bridge is geared towards custodial wallet users.
- Netki is a veteran in the Travel Rule compliance space. Its TransactID solution works across all private and public blockchains with both custodial and non-custodial wallets, so it is primed for interoperability.
- TRISA is a non-profit, open-source Travel Rule compliance project that works by providing VASPs with a way to assess whether data transmission requests are compliant with the Travel Rule through the use of a proven Certificate Authority model. Being a fully open source project, VASPs that choose to use the network for data transmission will need to take responsibility for maintenance and integration themselves.
- SelfKey Compliance Hub offers secure exchange-to-exchange messaging using decentralised identity claims on the SelfKey network to whitelist compliant VASPs and minimise data sharing, and allows multiple VASPs to be interoperable, even with different internal data structures.
While there are several varieties of TSPs on the market for VASPs, the strength of each remains highly dependent on the cooperation and connectivity between various stakeholders and countries.
In terms of jurisdiction implementation, FATF noted in a report published in June 2020 that there has been less implementation of the Travel Rule requirements for VASPs than other AML/CTF requirements. FATF found that from the 32 jurisdictions that have implemented AML/CTF regulatory requirements for VASPs, 15 jurisdictions advised they had introduced Recommendation 16 requirements for VASPs. Some jurisdictions noted they were enforcing Recommendation 16 requirements, but several others stated that they had faced difficulty enforcing the Recommendation 16 requirements effectively and had delayed enforcement while waiting for holistic and scalable technological solutions to be developed.
Jurisdictions that are leading the way in Travel Rule implementation, from transposing Travel Rule requirements into national law, to requiring VASPs to plan for implementation and enforcement of the Travel Rule include the European Union, Japan, Switzerland, South Korea and Singapore.
New guidance on the Travel Rule
The Draft Guidance provides additional guidance for the public and private sectors on the implementation of the Travel Rule, including:
- VASPs that have not implemented the Travel Rule should be considered higher-risk.
- VASPs need to undertake counterparty VASP due diligence before they transmit the required information.
- Regardless of the lack of regulation in the beneficiary jurisdiction, originating VASPs can require Travel Rule compliance from beneficiaries by contract or business practice. In general, those business decisions are made by each individual VASP based on their risk-based analysis.
- Originator and beneficiary VASPs should screen transactions to confirm that the counterparty is not a sanctioned name.
- The submission of the originator and beneficiary information in batches is acceptable, so long as submission occurs immediately and securely as per FATF Standards. However, submission must occur before or when the virtual asset transfer is conducted.
- Where there is not an originator or beneficiary institution (transactions to and from unposted wallets), the VASP must still collect the required information with respect to their customer. Countries should also consider requiring VASPs to treat such virtual asset transfers as higher-risk transactions that require enhanced scrutiny and limitations.
- Given the ‘sunrise issue’ in relation to the Travel Rule, countries should also adopt a risk-based approach in the assessment of the business models presented by VASPs. Countries should consider the full context of Travel Rule compliance, including whether there are sufficient risk mitigation measures taken by the VASP to adequately manage money-laundering and terrorism-financing risks.
VASP counterparty due diligence
The Draft Guidance also introduces best practice guidelines for VASP counterparty due diligence when implementing the Travel Rule. The Draft Guidance states that in order to conduct counterparty due diligence in a timely and secure manner, FATF recommends a three-phase approach:
- Phase 1: Determine whether the virtual asset transfer is with a counterparty VASP or to an unhosted wallet or other service.
- Phase 2: Identify the counterparty VASP.
- Phase 3: Assess if the counterparty VASP is an eligible counterparty to send customer data to and to have a business relationship with.
The Draft Guidance states that blockchain analytics can be used to assess the VASP and identify discrepancies. In addition, FATF notes that complete counterparty VASP due diligence must be completed before the first transaction with the VASP, and that the results of counterparty VASP due diligence should be reviewed periodically.
FATF notes in the Draft Guidance that it aims to maintain a level playing field for VASPs based on the financial services they provide, in accordance with current standards that apply to financial institutions and other AML/CTF-obliged entities, and to also minimise the opportunity for ‘regulatory arbitrage’ between sectors and countries.
The upcoming review of the ‘Revised FATF Standards on Virtual Assets and Virtual Asset Service Providers’ in June 2021 is also likely to present additional challenges to VASPs, as the Draft Guidance indicates FATF will require member countries to deny licenses to VASPs that allow virtual asset transfer to and from private wallets.
These revisions may exacerbate the problem where players in the crypto industry bypass the involvement of VASPs, in favour of P2P virtual asset transfers, which are not currently covered by FATF Standards. Further, some countries have also concluded that the benefits of virtual asset transactions are outweighed by the cost of compliance, or the risk of non-compliance, and have prohibited the operation of crypto exchanges altogether.
Before finalising the revisions to the Draft Guidance, FATF is seeking comments from private sector stakeholders by 20 April 2021.
We note that Travel Rule is yet to be legislated in Australia.