FATF’s Update on Virtual Assets, Virtual Asset Service Providers & Travel Rule

Introduction

In late March 2021, FATF has since published a Draft Guidance on a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers (‘Draft Guidance’) seeking public consultation on its draft proposal and clarify the June 2019 Risk-Based Approach on VAs and VASP Guidance.

Whilst the Draft Guidance is yet to be approved and further changes may be made, however, it’s clear that FATF intends to scrutinize issues like stable-coins, peer-to-peer (P2P) transactions, DeFi, NFTs and the Travel Rule implementation as explained below.

FATF released its latest update (June 2021) on Travel Rule implementation in general and FATF suggests that majority of the countries have yet to implement the FATF requirements with only 58 out of the 128 reporting jurisdictions have taken measures to either regulate or prohibit the operations of VASPs. FATF is also calling for all remaining jurisdictions to implement the revised FATF Standards as a priority with the finalization of the Draft Guidance expected to be published in October 2021.

Expansive Interpretation of Virtual Assets (‘VA’)

The Draft Guidance clarified the definition of VA, with FATF emphasizing that an ‘expansive view’ on the definition should be taken. FATF further stated that a VA cannot simply be a means of recording or a unit representing ownership, but must instead have an inherent value to be digitally traded or transferred and be capable of being used for payment or investment purposes. This means that any tokens that may be bought, sold or traded on the secondary market enabling the transfer or exchange of value, including certain Non-Fungible Tokens (NFT)[1], that may carry money laundering or terrorist financing risks, may be considered VA.

Even though FATF is quick to provide exemption to the definition of VAs, by excluding any closed-loop items that cannot be sold or traded on the secondary market (e.g., airline miles, credit card rewards or loyalty programs), FATF has also emphasized that no digital assets should be deemed to be excluded from FATF Recommendations or be interpreted as falling entirely outside of the FATF Standards.

FATF further highlighted that it does not intend for any asset to be both a VA and a traditional financial asset (e.g. securities or commodities) at the same time. In determining whether to classify an asset as a VA or a traditional financial asset, the Draft Guidance suggest that countries should consider the classification best suited in mitigating risk arising from the particular digital asset and the commonly accepted use cases. Although FATF concedes that various jurisdictions may ultimately classify the digital asset differently, jurisdictions should ultimately ensure that digital assets which do not qualify as VA are adequately covered by any of its existing regulatory framework.

Expansive Definition of Virtual Asset Service Providers (‘VASP’)

Similarly, the definition of VASP should be interpreted broadly. FATF clarified that VASP’s definition applies to entities ‘who is not covered elsewhere in the Recommendations’ and ‘as a business’ who conducts exchange/transfer of VAs, safekeeping and/or administration of VAs or participation in and provision of financial services related to an issuer’s offer and/or sale (‘VA activities’). This means that any financial institutions (FIs) or intermediaries covered elsewhere in the FATF Standards are excluded. Additionally, any person/entity who carries out those VA activities for itself on an infrequent/non-commercial basis will also be excluded.

Services explicitly included in the Draft Guidance and constitute to be a VASP under the FATF definition are:

• VA escrow and any other custody service providers which require multiple digital signatures (and therefore multiple private keys) to perform a transaction from a wallet;
• VA brokerage service provider that facilitates the issuance / trading of VAs on behalf of its customers;
• Order-book exchange service providers;
• Advanced trading services which allow users to access more sophisticated trading techniques;
• Providers of kiosks — e.g., BTC ATM or crypto-vending machines provider; and
• ICO issuers or promotors.

Interestingly, the Draft Guidance noted that exchanges or transfer services provided through ‘decentralized exchanges or platforms’ or so-called DEXs or DApps, will usually have a central party with some measure of involvement, such as creating and launching an asset, setting parameters, holding an administrative ‘key’ or collecting fees. Even though the DApp itself (i.e., the software program) is not a VASP, the entities involved or the owner/operator of such DApp or DEX is likely to be considered a VASP even if portions of the process are automated.

In determining whether a service provider falls under the definition of VASP, consideration should be given to the lifecycle of the products and services. Launching a VA activities in itself will not relieve a provider of its VASP obligations, even if those VA activities or functions will proceed automatically, especially if the provider will continue to collect fees or realize profits, regardless of whether the profits are direct or indirect gains. The use of automated process such as smart contracts to carry out VA activities does not relieve the controlling party of its responsibility and obligations, as VASP. To determine VASP status, launching a self-propelling infrastructure to offer VASP services is the same as offering them, and similarly commissioning others to build the elements of an infrastructure, is the same as building them.

This clearly opens up the possibility for DeFi activities to be the subject of future regulations. Moreover, any entity that are building codebase DeFi protocol intended to be exploited or are otherwise directly or indirectly economically benefiting from that software program, the entity may be deemed to be a VASP and accordingly, subject to all applicable AML/CFT obligations like any other centralized VASPs. Even though the industry is expected to push back and that FATF’s Draft Guidance does not have the force of law, it will be interesting to monitor if the various jurisdictions is able to resist incorporating such Recommendations into local laws.

Additional Guidance on Licensing & Registration of VASPs

The Draft Guidance also provides updates about two essential questions relating to licensing and registration of VASPs, namely:

(i) Which VASPs should be licensed or registered; and

(ii) How to identify VASP for licensing or registration.

In addition to VASP being required to be licensed or registered in the jurisdiction of incorporation or where its place of business is located, FATF also suggested that VASP should equally be licensed in a host jurisdiction where the relevant VASP’s services can be accessible or made available to the people residing or living within the jurisdiction. The Draft Guidance states that jurisdictions should monitor for entities engaged in unlicensed or unregistered VA activities, including designating a competent authority responsible for identifying and sanctioning unlicensed or unregistered VASPs. Given the cross-border nature of digital services, such principle can be unduly harsh and potentially limit the particular VASP’s geographical scaling ambition. There must be some reasonable limits to requiring VASP be licensed in host jurisdictions, where such user onboarding are carried out on reverse solicitation and no active marketing were conducted in the host jurisdiction.

FATF Standards on Stable-coin

The Draft Guidelines reaffirms FATF’s position on stable-coins and that it should be covered as a VA or as a traditional financial asset (e.g., securities or commodities) according to the same criteria used for the other types of digital assets. FATF also affirms that entities involved in stable-coin arrangement should have AML/CFT obligations under the revised FATF Standards. In particular, the Draft Guidance focuses on the central developer or governance body who established or participated in setting up the rules governing the stable-coin, or those that carry out basic functions of the stable-coin arrangement, including managing the stabilization function or those that manage the integration of stable-coin into telecommunication platforms. These central body will generally be covered by the FATF Standards as a financial institution or a VASP, thereby making them accountable for AML/CFT obligations and the obligation to mitigate ML/TF risk.

Even though the FATF Standards apply to stable-coins, FATF cautioned that the Draft Guidance does not extend and apply to Central Bank-issued Digital Currencies (‘CBDC’). Rather, FATF categorized CBDC as similar to any fiat currency issued by a central bank, rather than the VA that the Draft Guidance seeks to address.

Peer-to-Peer (P2P) Transactions

The Draft Guidelines clarifies that P2P transactions are not explicitly subject to AML/CFT obligations under the FATF Recommendations because FATF generally places obligation on intermediaries between individuals and the financial system rather than between the individuals themselves. As such, FATF deemed P2P transaction as similar to physical cash or fiat currency (cash) transactions.

However, FATF affords the flexibility to individual jurisdictions to regulate P2P transactions if and when the associated money laundering or terrorist financing risks is deemed to be too high. In addition, FATF recognizes that P2P transaction could potentially lead to systematic ML/TF vulnerabilities in some jurisdictions, especially once P2P transactions gain widespread and mainstream traction, causing the number and value of transactions not subject to AML/CFT controls to exponentially increase. Moreover, the full maturity of any such protocols that enable P2P transactions, could foreshadow a future without any financial intermediaries, potentially challenging the effectiveness of the FATF Recommendations.

Accordingly, the Draft Guidance suggest measures to mitigate any P2P exposure or any unacceptably high ML/TF risk of P2P transactions, including increasing transparency into P2P transactions, limit the availability of certain P2P transactions, enhanced supervision and communication with the private sectors to raise awareness of the risk posed by P2P transactions. The Draft Guidance further advise any VASPs to take a ‘compliance by design’ approach in which any VA or any products that VASP planned to launch that facilitates P2P transactions should consider the extent to which their customers may engage in or be involved with P2P activity and how ML/TF risk should be mitigated in the design and development phase.

Travel Rule

The Draft Guidance also revisits Recommendation 16 — Wire Transfers / Travel Rule and provided clarity on its application to VASP conducting VA transfers. With the Travel Rule obligation, Ordering VASP in a VA transfer is required to hold and obtain accurate originator information and transmit the required beneficiary information to the Beneficiary VASP immediately and securely. This means that VASP should ensure that information is submitted simultaneously or concurrently with the VA transfer and in a secure manner. Batch submission of the originator and beneficiary information is acceptable as long as the submission occurs securely and before or upon the VA transfer is conducted. Any post facto submission of the originator and beneficiary information is thus not permitted.

The Draft Guidance also requires VASP to conduct sanctions screening of their customer at the time of onboarding and screen the names of the originator or the beneficiary, when VASP conduct or are in receipt of a VA transfer.

Counterparty VASP Due Diligence

To further ensure that a VASP transmit the required information to another VASP or other obliged entity (such as FI) and not to a non-obliged entity (e.g., when a VASP sends VA to an individual user or a corporate whose activities does not constitute VA activities), FATF recommends that a VASP identifies and conducts due diligence on their counterparty VASP, before allowing VA transfer and transmission of the originator and beneficiary’s information. FATF does not expect VASP to conduct counterparty VASP due diligence for every single VA transfer, however such counterparty VASP due diligence must be conducted before the first transfer of information takes place and should be refreshed periodically or when a suspicious transaction or risk alerted.

As to what entails a counterparty VASP due diligence, FATF has suggested consideration into FATF Guidance on Correspondent Banking Services (e.g., Wolfsberg Questionnaire) for the approach, even though a counterparty VASP relationship is not akin to a correspondent banking relationship.

In addition, VASP is also required to consider and assess the jurisdictional risk of the counterparty VASPs, e.g. assessing the AML/CFT laws of the jurisdiction, the country’s national risk assessment reports etc., and consider any additional control measures for countries with weak implementation of AML/CFT regime by imposing intensive monitoring of transactions with VASPs based in the country, placing amount restrictions on transactions or enhanced / frequent due diligence.

Moreover, the Originating VASP is further required to assess the counterparty VASP’s AML/CFT systems and controls framework as part of the counterparty VASP due diligence procedure. Assessment should also include confirming with the counterparty VASP’s AML/CFT controls are subjected to independent audit (be it external or internal).

It should also be highlighted that the implementation of Travel Rule by counterparty VASP constitutes a risk factor in assessing their AML/CFT systems and controls framework and any failure to implement Travel Rule by the counterparty VASPs should be deemed as a higher risk in ML/TF and due diligence assessment.

Sunrise Issue

In circumstances where a counterparty VASP is residing/located in a jurisdiction where the Travel Rule has yet to be implemented or in force, commonly known as the ‘sunrise issue’, FATF has stressed that Travel Rule compliance is still required even though it remains a challenge.

The suggested approach by FATF to Originating VASPs would be to require the counterparty VASPs or the Beneficiary VASPs to comply with Travel Rule by manner of contract or business arrangement. Individual VASPs can either request a signed contract for both parties to transmit and exchange relevant originating and beneficiary customers’ information or by the manner of an agreed business arrangement. Whichever approach the Originating VASP takes to comply with the Travel Rule, each VASP must decide based on their own risk-based analysis.

Faced with the ‘sunrise issue’, VASPs who wish to remain compliant can further consider taking additional robust measures as recommended by FATF:

• Restricting transfers to within their customer bases (i.e. internal VA transfers within the same VASPs);
• Only allow confirmed first-party transfers outside of the customer base (i.e. originator and beneficiaries are confirmed to be the same person); or
• Implement enhanced monitoring of transactions.

Travel Rule Must Still Be Adhered With Regardless of Circumstances — For Unhosted Wallets

In addition, FATF acknowledged that VA transfer between a VASP and an unhosted wallet can happen, especially a VA transfer on behalf of its customer, to a private individual or non-obliged beneficiary.

With unhosted wallet largely undefined by the Draft Guidance, it is worth highlighting that the U.S. Financial Crimes Enforcement Network (FinCEN), defined unhosted wallet as ‘wallets where users control the funds’ and U.S Treasury expressed similar understanding ‘an unhosted wallet is not hosted by any third-party financial system.’ Such interpretation extends not only to private individual wallets not hosted by any VASPs or any third-party financial system but also to any non-obliged entities’ private wallets (i.e. any merchant’s private VA wallet that merely accepts VA for sale and purchase of goods or services.

In such circumstance, the Draft Guidance has emphasized that Travel Rule must still be adhered to by the VASPs. Even though FATF does not expect VASP or FIs when originating a transfer (i.e. Originating VASPs) to submit the required information under Travel Rule to individuals or non-obliged entities, nevertheless VASP receiving a VA transfer (i.e. Beneficiary VASPs) should directly obtain the required originator and beneficiary information from the beneficiary customer. Any VASP or FIs should also consider filing STR if the customer does not respond in a timely fashion and who fails to provide the required information and details.

Conclusion

It is important to highlight that the update to the Draft Guidance is FATF initiative to reach out to public feedback and consultation. As yet, it has not been adopted as law nor has any of the countries clarified their position in relation to their regulatory position. However, if and when adopted and implemented, it would result in a number of significant changes to the regulation and governance of the cryptocurrency market, such as the expansion of the definition of VA or VASPs to include entities involved with DeFi or DApps, the undertaking of counterparty VASP due diligence or even the increased due diligence expected of VASP that engage with unhosted wallets.

These sentiments were recently echoed by Ravi Menon (Managing Director MAS) who hinted towards new regulations in the panel discussion on DeFi and the Future Money with Mark Carney (former Governor of Bank England) on 28 June 2021.

By decentralising key aspects of financial infrastructure, such as access, data, and code, open crypto networks can also potentially enhance inclusion and innovation. Open crypto networks based on self-executing smart contracts and non-custodial financial services, where users maintain control over their assets at all times and replacing intermediaries and central parties, these networks aim to reduce both the cost and risk of finance.

It was noted that there is a continuum that spans, at one extreme, a completely centralised system where there is only central bank money, and at the other extreme a decentralised system where there are only private monies in circulation.

The industry should be wise to address the issues and principles highlighted and collaborate to find mutually beneficial actionable steps and solutions. Each country will have to choose different positions along the continuum, given its own cultural norms, social compact, and institutional structures.

It was noted that it is an even bigger discussion than just a monetary one. Ultimately, any decision will be political and must have the “consent of the people”.