On 28 October 2021, the Financial Action Task Force (FATF), the global standard-setter for anti-money laundering and countering-the-financing-of-terrorism (AML/CFT) efforts, released highly anticipated updates to its guidance for a risk-based approach on virtual assets (VAs) and virtual asset service providers (VASPs) (the Updated Guidance). This update is likely to prompt heightened scrutiny of VAs and their associated risks, sets the tone for the regulation of decentralised finance (DeFi), and lays the groundwork for broader supervision of the VA sector and broader financial industry.
Although not legally binding on FATF member countries, AML/CFT frameworks in these countries are now likely to converge with the Updated Guidance over time.
In due course, VASPs will need to consider updating their AML/CFT policies and procedures, performing AML/CFT enterprise-wide risk assessments, and (in some cases) reassessing the regulatory perimeter to determine whether certain activities (e.g., DeFi offerings) should be viewed as being subject to AML/CFT requirements. Reed Smith is supporting the industry with this alignment process and helping VASPs navigate the updated standards.
1. Overview of changes to FATF guidance for VAs and VASPs
The Updated Guidance supersedes the first version published in June 2019. The revisions provide additional guidance in six key areas:
- the definitions of VA and VASP;
- how the FATF standards apply to stablecoins;
- countering money-laundering and terrorist-financing (ML/TF) risks for peer-to-peer (P2P) transactions;
- licensing and registration of VASPs;
- implementation of the Travel Rule, and
- information-sharing and cooperation among VASP supervisors.
A summary of some of the key changes in the Updated Guidance is set out below.
2. Decentralised services and P2P transactions
Decentralised applications (DApps), decentralised exchanges (DEXs), other types of DeFi platforms, P2P platforms and self-hosted wallet providers have posed a challenge to the regulatory objectives of AML/CFT regimes, given their lack of any single central owner or controller. Addressing the unprecedented growth of DeFi in the last few years and the attendant ML/TF risks, the Updated Guidance now provides in relatively clear terms that parties in DeFi arrangements cannot hide behind purported ‘decentralisation’ to avoid AML/CFT obligations.
Creators, owners, operators or other persons who maintain control or sufficient influence in DApps, DEXs or other DeFi arrangements may be considered VASPs where they are providing or actively facilitating VASP services, even if those arrangements seem decentralised or portions of the processes are automated. This category of persons in a DeFi arrangement should be identified by the following non-exhaustive factors:
- control or sufficient influence over assets or over aspects of the service’s protocol;
- an ongoing business relationship between themselves and users, even if this is exercised through a smart contract or voting protocols;
- profiting from the service; and
- having the ability to set or change the parameters of the service’s protocol, and in that regard it should be noted that a VASP is not released from obligations relating to AML/CFT by virtue of having governance tokens.
If such a person cannot be identified, countries can consider requiring a regulated VASP to be involved in the decentralised services to help mitigate the risks.
It is clear that the standards do not apply to underlying software or technology. As such, developers who create software or protocols for decentralised platforms should not be subject to AML/CFT obligations.
In the same vein, P2P transactions are perceived to be a potential source of risk due to their lack of an identifiable central party. Currently, the FATF places AML/CTF obligations on intermediaries instead of individual users, and this position will be retained for the time being.
The Updated Guidance sets out measures that countries can adopt based on their risk assessment, including:
- requiring VASPs to facilitate transactions only to/from addresses or sources that are acceptable in line with their risk-based assessment;
- requiring VASPs to facilitate transactions only to/from VASPs and other obliged entities, and/or additional AML/CFT requirements (such as enhanced recordkeeping) for those who allow transactions to/from non-obliged entities;
- requiring VASPs to file reports (such as currency transaction reports) when their customers transact with unhosted wallets; and
- conducting enhanced regulatory scrutiny of VASPs that enable customers to transact with unhosted wallets.
3. Stablecoins, NFTs and CBDCs
Broadly, the FATF does not intend for a digital asset that is issued for investment or payment to be both a financial asset (e.g., a security, commodity, derivative or fiat currency) and a VA at the same time, and the onus is on each jurisdiction to determine if a relevant digital asset is a financial asset or VA. Jurisdictions should consider which of their regulatory regimes is most applicable for that digital asset.
The underlying technology of the asset is not a deciding factor in determining the applicable regime for the asset. For example, a financial asset that is blockchain-based would not be regulated as a VA under FATF standards.
Under this overarching approach, the Updated Guidance clarifies the status of stablecoins, non-fungible tokens (NFTs) and central bank digital currencies (CBDCs).
- The FATF highlights the major risks associated with stablecoins, including the enhanced risks where stablecoins are adopted widely. Effectively in most cases, aside from financial institutions whose functions are only to manage the reserve fund, entities that are involved in stablecoin issuance, offers and reserve maintenance, and those that facilitate the distribution and trading of stablecoins, such as exchanges and custodians, should comply with AML/CFT obligations.
- Central governance bodies of stablecoins will, in general, be covered as either VASPs or financial institutions. Where there is a greater degree of decentralisation, it is expected that countries will take a functional approach to identifying obliged entities and mitigating relevant risks, both before the launch of the stablecoin and in an ongoing manner thereafter.
- NFTs, and other digital assets that are unique, not interchangeable and generally used as collectibles as opposed to payment or investment instruments, are generally not VAs. However whether what is termed an ‘NFT’ is a VA would depend on its characteristics. If a so-called NFT has a payment or investment purpose in practice, it may be considered a VA. As such, NFTs that are sold on secondary markets are more likely to be VAs and operators of NFT marketplaces may fall under the scope of AML/CFT regulations in their jurisdictions. NFTs may also be digital representations of other financial assets covered by FATF standards.
- CBDCs should generally not be considered VAs as they are digital representations of fiat currencies, and FATF standards on fiat currencies issued by central banks should apply.
4. Travel Rule and counterparty VASP due diligence
The Travel Rule refers to requirements that must accompany wire transfers (including VA transfers) as set out in FATF Recommendation 16. The Updated Guidance provides more details on operationalising the Travel Rule in VA transfers including: (a) what data an originator and beneficiary VASP must verify for accuracy; (b) what records they must retain; and (c) the performance of sanctions screening on the names of customers.
In the June 2019 guidance, VA transfers between VASPs and non-obliged entities (such as unhosted wallets) were not within the scope of Travel Rule requirements. Under the Updated Guidance, the Travel Rule now applies to transactions with non-obliged entities, but with adaptations. VASPs need to determine whether the transaction is with a VASP or with an unhosted wallet, and must implement the corresponding measures.
For VA transfers to or from unhosted wallets, the obliged entity should adhere to the requirements of Recommendation 16 with respect to their customer (the originator or the beneficiary, as the case may be). The obliged entity need not submit the required information to individuals who are not obliged entities. However, obliged entities should be required to implement mechanisms to ensure effective scrutiny of such transfers to meet broader transaction monitoring, suspicious transaction reporting and sanctions implementation obligations, and countries may choose to impose additional controls on such transfers with unhosted wallets.
VASPs should be required to collect data on unhosted wallets and related P2P transactions, assessing information to determine to what extent a transaction is within their risk appetite, and to determine the appropriate risk-based controls to apply to such a transaction/customer. VASPs can be made to implement measures such as:
- enhancing the existing risk-based control framework to account for specific risks posed by transactions with unhosted wallets, such as by accounting for specific users and patterns of observed conduct; and
- studying the feasibility of accepting transactions only from/to VASPs or other obliged entities, and/or unhosted wallets that the VASP has assessed to be reliable.
The Updated Guidance also covers counterparty VASP due diligence, whereby VASPs need to perform due diligence on other VASPs with whom their customers transact. Due diligence requirements include information that a VASP should collect (such as evidence that the counterparty VASP is regulated and has a rigorous AML/CFT compliance framework) as well as when such information should be collected (at the first time of transacting and on a periodic basis thereafter).
5. Practical implications and how we can help
The publication of the Updated Guidance marks a further step in the coming of age of the VA industry, helps clarify the scope and application of AML/CFT requirements in the VA sector, and is likely to further align compliance standards for VASPs with those of conventional financial institutions. This will likely bolster partnerships between conventional financial institutions and parties in the VA sector and encourage the entry of traditional players into the VA space.
The Updated Guidance rightly focusses on substance over form. Obligations in the FATF standards arise from the nature of the financial services offered and not the technological tools, ledger design or other operating features of the platform. Similarly, while the FATF’s clarifications relating to VASPs in DeFi arrangements provide greater clarity and are a welcome development, there will likely remain ambiguity in the application of these factors (such as ‘control or sufficient influence’) to the varied DeFi operating models, in particular taking into account the frequent lifecycle progression of a DeFi arrangement from a centralised to decentralised system. Furthermore, given the move towards regulation in this space, DeFi platforms and the unhosted ecosystem that operate without AML/CFT controls may increasingly be perceived to be riskier by users and regulated VASPs.
Even as efforts to implement industry-wide or scalable solutions for compliance with the first iteration of the Travel Rule remain underway, VASPs may now ramp up efforts in exploring technology solutions to meet updated Travel Rule requirements and other requirements such as the monitoring of transaction or volume limits between their users and unhosted wallets, which may further accelerate the development of blockchain analysis and digital identity solutions.
The FATF has not provided any indication on a timeframe by which member countries should comply with the Updated Guidance, although going by past practice, an implementation review may be expected to be announced in due course. Although not legally binding on member countries, AML/CFT frameworks in these countries are now likely to converge with the Updated Guidance over the coming years. Pending such updates to national frameworks, the VA industry is likely to use the Updated Guidance as a reference point in interpreting and applying existing risk-based AML/CFT frameworks.