V20 Osaka Virtual Assets FATF Summit Key Takeaways

The 28–29 June 2019 V20 summit in Osaka, co-located with the G20 summit, was a gathering of some of the largest regulated Virtual Asset Service Providers (VASP), Financial Action Task Force (FATF) officials, leading consultants versed in Virtual Assets (VA), FinTech and blockchain associations, as well as a smattering of media and technology service providers. Notable exceptions were traditional financial service providers and senior blockchain technologists.

The focus of the summit was on education and the concerns surrounding the implementation of the recent FATF VA requirements as pertaining to VASPs. These requirements stipulate a range of obligations around VA and VASP regulatory frameworks to reduce the prevalence of money laundering and terrorist financing within virtual assets. The summit was not focused on changes to the FATF requirements; these were ratified in June and are considered quite immutable and inexorable within the short- to medium-term.

The dialogue was quite technical and provided clarity on pertinent issues. The most discussed topic was the introduction of the “travel rule”, an obligation for VA exchanges and other VASPs to transmit beneficiary details to any receiving VASP.

Additionally, it was quite clear to participants that transactions between non VASPs (i.e. peer-to-peer and purely decentralized transactions) did not fall within the scope of the FATF requirements.

The travel rule is intended to apply the same AML standards to VASPs as in the traditional finance sector. Deposits from and withdrawals to non VASPs are not required to transmit beneficiary details.

Originating VASPs are obliged to have vetted the beneficiary details to be shared to beneficiary VASPs. Beneficiary VASPs are not obliged to validate entity details on the deposits received from originating VASPs.

Other useful insights included a view that FATF is not intending to target software developers for “simply releasing software to the world”.

This is evidenced by FATF requirements not encompassing peer-to-peer transactions between non VASP participants. There is currently no policy with regards peer-to-peer and/ or truly decentralised exchanges, although decentralised exchanges where an entity is receiving transaction fees or other forms of profit does fall within the definition of a VASP.

Finally — it was clear that Facebook’s Libra would fall within the scope of the FATF

requirements.

After a day of education and dialogue, the agenda pivoted to next steps, and how the industry might respond to the FATF requirements.

A number of breakaway workshops were conducted; some were focused on potential technical solutions and protocols, whilst others talked overriding principles or approaches to properly engaging the community.

In the author’s view, protocol and technical solution discussions were premature and an

overreach, given that the most qualified technologists have not yet been engaged.

Ignoring entities that intend to operate illegally or conduct regulatory arbitrage, there will be two responses to the incoming obligations on market participants:

1. The cypherpunk community will accelerate peer-to-peer and decentralized exchange innovations, providing marketplaces that can operate legally without requiring participants to break any laws.
2. VASPs will develop a number of heterogenous approaches for meeting legal obligations in multiple jurisdictions

The remainder of this post will focus on the second collection of stakeholders; many highly innovative individuals and firms will undoubtedly execute on the first with great fervor.

In the author’s view, two of the most influential stakeholders have not yet been adequately engaged, namely, the core blockchain technologies underpinning the VA industry and the traditional Financial Institutions (FI) entering the space. The technology community, in particular, has proven to be influential and innovative, albeit slow in gaining momentum. The Bitcoin SegWit implementation exemplifies these characteristics. Ignoring this set of stakeholders will be counterproductive.

The author’s recommendation is to conduct heavy community education and engagement, as most of the blockchain technical community is not aware of or interested in the FATF implications as this time.

In particular, the author recommends that working groups are established to engage the community. Many of the community will branch out to rapidly innovate increased decentralisation. Others, however, may engage only if principles are surfaced that are congruous with the principles of the decentralised blockchain community.

The author believes that such principles are likely to include:

· Decentralisation to the extent possible (whilst meeting FATF requirements)

· Minimising data sharing to the extent possible

· Open protocols

· Heterogenous implementations

· A lightweight, risk-based approach

Once a critical mass of stakeholders has come together around a set of mutually shared principles, some of the best protocol designers may emerge to design an open protocol for VASPs and vendors to implement incrementally over time.

Some of the attendees delved into protocol or implementation discussions. A commonly proposed solution was as follows:

1. A central database maintains a list of VASPs (and potentially address whitelists)
2. Every time an originating VASP sends a transaction, it sends end user beneficiary details to a (global?) mediator
3. When a beneficiary VASP receives a transaction, it queries the mediator about any relevant end user beneficiary details

To a privacy advocate (or decentralisation proponent) the above suggestion is untenable. If one started with guiding principles, namely to “minimise data sharing to the extent possible under the requirements”, the proposal might look somewhat different:

1. VASP registers with one or more VASP registration repositories with accompanying transaction meta data services
2. Originating VASP prepares transaction and a hash that does not reveal any private data. The hash is published to one or more transaction meta data services
3. Originating VASP sends a transaction to the destination address
4. Beneficiary VASP receives the transaction and queries one or more transaction meta data services for the given transaction (obfuscated). If the transaction originated from an end user/ non-custodial wallet, there will be no such meta data and the beneficiary VASP can continue with other compliance checks
5. The originating VASP transmits data to the beneficiary VASP in a manner that prevents any other parties (mediator or otherwise) from receiving the private end user data

This is a primitive example — it serves simply to illustrate the importance of starting with the key principles dear to most of the community’s influential stakeholders before delving into protocol design or solution implementation.

Given their implicit decentralisation principles, it’s clearly important to engage the strength of this community. Parties must be educated on the implications of the FATF requirements (both positive and negative). There must be an emergent, collaborative set of principles and protocols that have the highest possible chance of successful implementation.

Some readers may benefit at this point from a little background.

FATF requirements are provided as best practices to guide and measure the effectiveness of sovereign AML and CFT; they are not direct requirements for individual companies and entities. Member countries are expected to incorporate the requirements into concrete national regulatory frameworks.

FATF also has a supervisory function; nations that have not incorporated FATF requirements may be designated as higher risk jurisdictions, resulting in material economic damage. Most FATF members are endeavoring to incorporate FATF requirements and avoid being designated as high risk.

The FATF requirements are officially in effect already, with an expectation that member jurisdictions adopt them within one year. Almost certainly many members will take longer due to the slow pace of legislative changes; estimates from attendees varied from one year for a full roll-out (from some of the more aggressive/ optimistic individuals) to five or even 10 years, from the cynical and/ or very experienced.

Most, if not all, attendees expected regulatory arbitrage as an outcome, with many referring to active market participants already adept at such activity. Mobile market participants are expected to move their operations from jurisdiction to jurisdiction for several years to avoid regulatory remit and enforcement.

Regulators are obliged to incorporate the FATF principles into their framework for VASPs operating and servicing customers within their own jurisdictions. Cross-border activity, however, is a little more flexible (with enforceability a likely issue) where:

· VASPs within the jurisdiction of the regulator are servicing customers outside of the jurisdiction; and

· VASPs from other jurisdictions are servicing customers within the regulator’s jurisdiction

Another common topic aired during the event, by regulators and VASPs alike, was the balancing act between fostering innovation and enforcing regulatory controls. The conclusion was (as usual) that a risk-based approach is preferred. Innovations and market scenarios operating at volumes too low to present material risks (from a money laundering and terrorist financing perspective) should fall outside burdensome regulatory focus. Incoming financial institutions and sizable VASPs (in terms of aggregate liquidity) present a much higher risk.

In the author’s opinion, there is an agreeable (whilst temporal) trade-off between the cypherpunk ideals underlying digital assets (non-custodial) and centralised financial service providers (custodial). The current prevalence of lower volumes in decentralised marketplaces may be exploited by cypherpunks, thereby allowing rapid innovation to improve individual liberties and self-protection, whilst remaining outside the risk-based regulatory environment.

The introduction of the FATF requirements to higher-volume, centralised VASPs and incoming traditional financial service institutions will add regulatory clarity. This clarity is needed for the largest economic actors to participate in digital assets as an asset class. Mass market participation in digital assets, coupled with maturing non-custodial technology, may eventually result in bringing the cypherpunk ideal to the highest number of individuals.