FATF Updated Guidance on Virtual Assets, Virtual Asset Service Providers and Travel Rule

Introduction

Following the publication of the FATF’s Updated Guidance for a Risk-Based Approach to Virtual Assets (VAs) and Virtual Asset Service Providers (VASPs) [‘Updated Guidance’], the Updated Guidance amends the FATF Guidance originally published in 2019 and contains significant changes from the March 2021 proposed Draft Guidance previously covered in this article.

It is worth highlighting that whilst the FATF Updated Guidance is not legally binding on member countries or VASPs, it would be prudent and well-advised for VASPs to proactively assess their compliance programs and mitigate their exposure to money-laundering and terrorism-financing risks. Countries and VASPs who do not heed the Updated Guidance, may become subject to increased monitoring risks and ability to initiate VA transfers, affected.

General Position

• The Updated Guidance is generally applicable to all financial institutions and VASPs engaged in VA activities. No financial assets should be interpreted as falling entirely outside of the FATF Standards merely because of the format in which they are offered.
• FATF and the Updated Guidance takes a technology-neutral approach and place those offering functionally-equivalent products and services to be subject to the same risk-based standards, regardless of the underlying technology involved.
• FATF does not support de-risking or wholesale and indiscriminate termination or restriction of business relationships merely to avoid the risk of the sector. Instead, the risk of the sector should be managed in line with the FATF’s Risk-Based Approach.
• The Updated Guidance did not change the underlying definition of VA and VASP and reiterated that an ‘expansive view’ on the definition of VA should be taken with the definition of VASP similarly interpreted broadly.
• The Updated Guidance also set forth guidance relating to the implementation of ‘Travel Rule’ that requires financial institutions and VASPs to convey identifying information about parties sending or receiving wire transfers.

The following is a summary of the key changes in the Updated Guidance. It is recommended for all VASPs or entities engaged in any VA activities to review the Updated Guidance and the corresponding local laws and regulations that adopts FATF Recommendation and assess their risk appropriately.

Definition of VAs and VASPs

The Updated Guidance did not change the underlying definition and continues to define virtual asset as a ‘digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes’, similar to the 2019 Guidance. However, the Updated Guidance elaborates on how the definition applies to a number of specific asset types.

Three specific categories of asset types were discussed:

Central-bank Digital Currencies (CBDC)

FATF considers and categorised CBDC as ‘fiat currency’ rather than a VA as CBDC is merely a ‘digital representation of fiat currency’ similar to any other form of fiat currency issued by a central bank.

Although FATF acknowledged that CBDC may have unique AML/CFT risks compared with physical fiat currency and recommends for any AML/CFT risks to be addressed before the launch of any CBDCs, it does not change CBDC’s categorisation as fiat currency, and accordingly excludes CBDC from this Updated Guidance. However, their exclusion from the Updated Guidance should not be taken as an indication that CBDC is unimportant. FATF has stressed that FATF Standards apply to CBDCs similar to any other central bank-issued fiat currencies.

Stablecoins

On the other hand, the Updated Guidance clarified that stablecoins should be considered as VAs as it shares many of the same AML/CFT risk factors as any other VAs, such as the potential for anonymity, global reach and use to layer illicit funds. So, any AML/CFT risks of the stablecoins should be identified, analysed and mitigated before they are launched. Other AML/CFT risk factors potentially linked to stablecoins should also be considered. Any stablecoin-issuers or the entity behind the stablecoin should equally be licensed and covered under the FATF Standards as either a VASP or a financial institution (i.e., depending on the exact nature of the asset, stablecoins may also be deemed as other existing financial instruments constituting currencies, commodities or securities. As such, these entities should be regulated and categorised as an financial institution.)

Non-fungible tokens (NFTs)

The Updated Guidance defines non-fungible tokens (NFTs) as ‘digital assets that are unique, rather than interchangeable and that are in practice used as collectibles rather than payment or investment instruments’ and is referred by FATF as crypto-collectibles. Due to this, the Updated Guidance has explicitly mentioned that such tokens are ‘generally not considered to be VAs’. However, it may constitute and be considered a VA if the NFTs are used for ‘payment or investment purposes in practice.’

It should also be noted that there may be other NFTs that may be a digital representation of other financial assets and would therefore be similarly covered by the FATF Standards as that type of financial asset.

In general, even though NFTs are largely excluded from the definition of a VA, it should be highlighted that NFTs may nevertheless be categorised as VA or securities if they are subsequently sold onward or traded as an investment in a secondary market.

Definition of VASPs

Similarly, the definition of VASP remains the same as the FATF 2019 Guidance, defining VASP as ‘any natural or legal person that conducts one or more of the following activities or operations for or on behalf of another natural or legal person:

• Exchange between virtual assets and fiat currencies;
• Exchange between one or more forms of virtual assets;
• Transfer of virtual assets;
• Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and
• Participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.’

The Updated Guidance goes on to define several terms contained in the overall definitions, such as ‘persons’ and ‘as a business’. Of particular note is the definition of ‘conducts’ which is defined to include ‘the provision and/or active facilitation of a service’. This means that any ancillary participants that do not provide or actively facilitate any of the 5 major services described above is excluded, such as internet or cloud service providers, venture capital firms and computer manufacturers. Arguably, any self-hosted or non-custodial hardware wallet providers that provide staking as an ancillary service to generate additional tokens for the users should not be regulated and be deemed as VASP.

Decentralized Finance (DeFi):

The Updated Guidance includes a number of additions regarding DeFi and DApps, which largely tracks the March Draft Guidance. The Updated Guidance makes clear that DeFi application or decentralised/distribution application (DApps) is itself not a VASP as the FATF Standards do not apply to the underlying software or technology, in line with FATF’s technology-agnostic approach. However, the Updated Guidance adds that ‘creators, owners and operators or some other persons who maintain control or sufficient influence in the DeFi arrangements, even if those arrangements seem decentralised may fall under the FATF definition of a VASP where they are providing or actively facilitating VASP services.’

Such control or sufficient influence can take the form of influence over assets or aspects of the DeFi’s protocol, the existence of an ongoing business relationship with the users and the ability to profit from the service or set or change of parameters of the service. This means that any DeFi owners and operators that have the ability to restrict coin listings on a decentralized exchange, operate a domain that enables user access, or are otherwise able to intervene in the activities of a DeFi marketplace in a significant way, may now be deemed as VASP thereby required to be licensed or regulated from the FATF’s perspective and comply with all aspects of the AML/CFT obligations, including Travel Rule obligation.

The Updated Guidance has also clarified that any individual governance token holders are not deemed as VASP if the token holders do not exercise ‘control or sufficient influence over the VASP activities undertaken as a business on behalf of others.’

With FATF seemingly taking the position that many DeFi projects are in fact not sufficiently decentralised to be outside of the VASP definition and would, in majority of the case, includes a person with control or sufficient influence, the Updated Guidance calls on member countries to apply the VASP definition without much regard to such entity’s self-description. Although FATF has equally acknowledged that there may be cases where no centralised party can be identified in connection with a DeFi application, FATF nonetheless calls on each member countries to monitor the risks posed by such DeFi services or arrangements and consider mitigating measures, such as requiring a regulated VASP to be involved in activities related to a DeFi arrangement.

Stablecoin-Issuers or Entities involved in Stablecoin Arrangement:

With stablecoins, the Updated Guidance tracks the March Draft Guidance and FATF continues to insist that a central developer or governance body is more likely and is needed to exist in order to drive the development and the launch of stablecoins. Where such a central developer or governance body exists in a stablecoin arrangement, ‘they will, in general, be covered by the FATF Standards either as a FI or a VASP’ (i.e., depending on the exact nature of the asset, stablecoins may be deemed as other existing financial instruments constituting currencies, commodities or securities).

However, the Updated Guidance leaves the possibility that not all stablecoins will ultimately have a readily identifiable central body which is a VASP or a FI. In such circumstances, it is ultimately the member countries’ responsibilities to consider the risks the given stablecoin poses in the pre-launch phase and the need for any mitigation measures to be put in place.

The Updated Guidance has clarified that any software developers developing software code should not be implicated and be covered by the VASP definition. The Updated Guidance went on to provide examples of activities or entities within a stablecoin arrangement that would not be subject to the VASP definition in the FATF Standards, including ‘validators…whose functions are only validating transactions; cloud service providers whose functions are only offering the operation of infrastructure; manufacturers of hardware wallets whose functions are only manufacturing and selling the devices; software providers of unhosted wallets whose functions are only developing and/or selling the software/hardware; merchants which are only providing goods and services in exchange for Coins; software developers who do not undertake any VASP functions; and individual users.’

P2P Transactions

The Updated Guidance indicates that P2P transactions should be considered by member countries, as posing unique and potentially, heightened AML/CFT risks and to apply appropriate mitigation measures to mitigate those risks, such as establishing controls to facilitate the visibility of P2P activity crossing between obliged entity and non-obliged entity, obliging VASPs to facilitate transactions only to/from VASPs and other obliged entity etc.

Whilst most of the mitigation measures originally proposed in the March Draft Guidance remains in this Updated Guidance, however in a positive development, FATF has since removed the problematic suggestion for countries to consider ‘denying licensing of VASPs if they allow transactions to/from non-obliged entities (i.e., private/unhosted wallets).’

Correspondent Relationships & Counterparty Due Diligence

It is a misconstrued notion that a correspondent ‘banking’ relationship would similarly be applicable to VASPs when the limitation in banking infrastructure in accessing and providing financial services in another country means that a foreign bank may need to open a correspondent account with another domestic bank. It also fundamentally ignores the significant difference between VA transactions and correspondent banking transactions in that VASP may settle VA transactions bilaterally without one VASP needing to establish and maintain an ongoing account relationship with the other. Furthermore, when VASPs hold accounts with other VASPs, it is not typically to facilitate the movement of customer assets, unlike a correspondent banking account that domestic banks maintain with foreign banks in a correspondent banking relationship.

Nonetheless, the Updated Guidance clarifies that Recommendation 13, regarding cross-border correspondent relationships is equally applicable to VASPs, in which the ‘provision of VASP services by one VASP to another VASP or FI…[on an] ongoing, repetitive nature’ would constitute to be correspondent relationship in a VA context. This includes, one VASP white-labelling its platform functionality to another VASP or any VASP providing access to liquidity and trading pairs.

This means that in addition to performing normal CDD measures, such as collecting typical corporate documentation (e.g., certificate of incorporation, director/shareholder registers etc.), VASPs are now expected to apply additional due diligence measures on the counterparty VASP before the provision of any services, such as gathering sufficient information about the counterparty VASP, its nature and business, its AML/CFT control framework, its overall reputation and the quality of supervision or regulatory action or AML/CFT investigations the counterparty VASP is subject to, etc.

Even though such information is ultimately helpful and beneficial for VASP to conduct the necessary counterparty due diligence for the purpose of complying with Travel Rule, FATF has clarified that such due diligence undertaken for the purpose of correspondent relationship is distinct and separate from the due diligence conducted for Travel Rule purposes.

Counterparty Due Diligence:

The Updated Guidance tracks closely the March Draft Guidance and lays out a three-phase approach to counterparty due diligence, which includes:

(1). Determining if the transaction is with a counterparty VASP;

(2). Identifying the counterparty VASP; and

(3). Assessing the counterparty VASP.

All three phases should be completed prior to the any transfer of information takes place.

The Updated Guidance reiterated that the FATF Guidance on Correspondent Banking Services can be considered and Wolfsburg Questionnaire for the approach to be taken for counterparty VASP due diligence and assisting the review of counterparty VASP’s AML/CFT systems and controls framework.

Interestingly, the Updated Guidance has additionally expanded the counterparty due diligence obligation to include an assessment into the counterparty VASP’s ability to ‘adequately protect sensitive information’. However, the Updated Guidance did not provide any further clarity on the adequacy of such privacy measures and how such assessment should be conducted.

Travel Rule

The Updated Travel Rule Guidance reiterated FATF’s position that the requirements of Recommendation 16 apply to VASPs regardless of the transactions, whether denominated in fiat currency or VA and a VA transfer between a VASP and an unhosted wallet/non-obliged entity. This entails VASP and/or FIs to collect identifying information regarding the originators and beneficiaries of domestic and cross-border wire transfers and submit that information along to the intermediary and receiving VASPs or FIs.

The Updated Guidance anticipates ‘sunrise issue’ in countries where the FATF Recommendations are yet to be promulgated into local laws and still requires compliance to Travel Rule, by suggesting a contract be signed between the Ordering Institutions and the Beneficiary Institutions in the circumstance that the Beneficiary Institution is located in a jurisdiction where Travel Rule has yet to be implemented/in force.

The Updated Guidance has clarified on the issue of the originator and beneficiary’s account number and that such account numbers can be substituted and taken to mean the wallet address of the VA. Transaction fees relating to VA transfers are similarly clarified not to be within the scope of the Travel Rule as the recipient of the transaction fees is ultimately ‘not the originator or recipient of the VA transfer.’

An addition to the Travel Rule in this Updated Guidance, is the possibility of allowing alternative procedures, including not sending the required user information, if a VASP believes the counterparty VASP will not be able to handle the transmitted user data securely even if the AML/CFT risks are acceptable.

Whilst many of the clarification has been helpful, the Updated Guidance nonetheless still present significant practical challenges for VASPs in complying with Travel Rule obligation especially in dealing with any ‘sunrise issue’ and further faced with the challenge of not being able to receive the user information should the Originating VASP deemed the Beneficiary VASP to be unable to securely handle the transmitted user data.

Travel Rule Compliance For Transfers To/From Unhosted Wallets

With the Updated Guidance closely adopting the March Draft Guidance and FATF recognising that a VA transfer between a VASP and an unhosted wallet can happen (i.e. to a private individual or non-obliged beneficiary), Travel Rule compliance must still be adhered to in this circumstance.

Whilst it is expected that VASPs or FIs when originating a transfer are not required to submit the necessary information to private individuals or non-obliged entities, VASP receiving a VA transfer should obtain the required originator user and beneficiary information directly from the beneficiary customer. Any VASP or FIs should similarly consider filing STR if the customer does not respond in a timely fashion and fails to provide the required information and details.

Conclusion

Although the Updated Guidance does not impose direct legal or regulatory obligations, it remains to be seen how other FATF member countries will ultimately adopt and apply these recommendations to local AML/CFT laws and regulations to VAs and VASPs. Notwithstanding the uncertainties that surround the adoption and applicability of Travel Rule requirements, FATF nevertheless expects regulated VASPs, FIs and other obliged entities involved in VA activities to comply with its Recommendations. Accordingly, all aspiring participants in VA activities should examine their existing AML/CFT controls and transaction monitoring framework to ensure that it is in line with this Updated Guidance.