On June 27th 2023, the FATF published its report on country compliance with Recommendation 15 – including the Travel Rule – and updates on emerging risks and market developments. Global implementation and compliance remain relatively poor and behind most other financial sectors.
The Guidance describes how FATF recommendations apply to countries and competent authorities, as well as to VASPs and other obliged entities that engage in VA activities, including financial institutions
Almost all the FATF recommendations are directly relevant to address the money laundering and terrorism financing (ML/TF) risks associated with VAs and VASPs (see Biggest Crypto & Blockchain Unicorns).
FATF recommendations apply to VASPs in the same manner as FIs, with two specific qualifications:
- The occasional transaction threshold, above which VASPs are required to conduct customer due diligence (CDD), is USD/EUR1,000 (rather than USD/EUR15,000);
- The wire transfer rules set out in Recommendation 16 apply to VASPs and VAs transfers in a modified form (so-called “travel rule”).
FATF’s report finds that jurisdictions continue to struggle with fundamental requirements such as undertaking a risk assessment, enacting legislation to regulate VASPs, and conducting a supervisory inspection (see What is Blockchain?).
Based on 98 FATF mutual evaluation and follow-up reports since the revised R.15/INR.15 was adopted, 75% of jurisdictions are only partially or not compliant with the FATF’s requirements.
In addition, jurisdictions have made insufficient progress on implementing the Travel Rule, which is a key AML/CFT measure. Of the 151 jurisdictions that responded to FATF’s 2023 Survey, more than half still have not taken any steps towards implementing the Travel Rule (see New Crypto DeFi Crime Trends).
This is a serious concern as the risks posed by VAs and VASPs continue to increase and that the lack of regulation creates significant loopholes for criminals to exploit. This demonstrates an urgent need for jurisdictions to accelerate implementation and enforcement of R.15/INR.15 to mitigate criminal and terrorist misuse of VA and VASPs (see about Investing in the Metaverse).
FATF’s report acknowledges collaboration among the private sector members to improve industry compliance with R.15/INR.15 including the Travel Rule and highlights that all players need to have appropriate risk identification and mitigation measures and continue to work towards fully compliant Travel Rule compliance tools.
While DeFi and unhosted wallets including P2P do not account for a large share of transactions, they are at risk of misuse, including by sanctioned actors.
The FATF calls on all countries to rapidly implement the FATF’s Standards on VAs and VASPs, including the FATF’s Travel Rule (see Virtual Worlds in the Metaverse. How Blockchain Helps E-commers?).
The FATF will therefore continue to monitor the illicit financing risks and developments in this sector.
In February 2023, the FATF adopted a roadmap to improve implementation of R.15. In line with this roadmap and to address the findings of this report, the FATF will:
- Continue to conduct outreach and provide assistance to low-capacity jurisdictions
- Identify and publish steps FATF member jurisdictions and other jurisdictions with materially important VASP activities have taken towards implementing R.15/INR.15
- Facilitate sharing of finding, experiences, and challenges including relating to DeFi, unhosted wallets, and P2P and monitor market trends in this area for material developments that may necessitate further FATF work
- Continue to engage with member countries and the private sector on progress and challenges
- Conduct a further review on progress and remaining challenges for implementation by June 2024
What’s new in the updated Guidance?
This updated Guidance is focused on six key areas to:
- Clarify the definitions of VA and VASP to spell out that these definitions are expansive and there should not be a case where a relevant financial asset is not covered by the FATF standards (either as a VA or as another financial asset);
- Provide guidance on how the FATF standards apply to stablecoins and clarify that a range of entities involved in stablecoin arrangements could qualify as VASPs under the FATF Standards;
- Provide additional guidance on the risks and tools available to countries to address the ML/TF risks for peer-to-peer (P2P) transactions, which are transactions that do not involve any obliged entities;
- Provide updated guidance on the licensing and registration of VASPs;
- Provide additional guidance on the implementation of the travel rule;
- Include principles of information sharing and cooperation amongst VASP supervisors.
Regulating virtual assets service providers is challenging for all. National authorities need to develop skills to understand the technology involved, while service providers have to understand and apply financial rules that apply to the sector.
It is up to the sector to develop the technology to meet the FATF’s requirements, particularly when it comes to the so-called ‘travel rule’, which requires securely collecting and transmitting originator and beneficiary information (see Venture Capital Investment in Web 3.0, Blockchain & Crypto Startups).
To help governments and the industry, the FATF has developed guidance on how to take a risk-based approach in this area. The guidance, which had significant input from the sector itself, explains how to understand the risks, how to license and register the sector, and how to know who their customers are, store this information securely and detect and report suspicious transactions.
What is Virtual Assets?
Virtual assets (crypto assets) refer to any digital representation of value that can be digitally traded, transferred or used for payment. It does not include digital representation of fiat currencies. Virtual assets have many potential benefits and dangers.
They are largely unregulated, and also have the potential to become worthless and are vulnerable to cyberattacks and scams.
Without proper regulation, virtual assets also risk becoming a safe haven for the financial transactions of criminals and terrorists.
The FATF has been closely monitoring developments in the cryptosphere and has issued global, binding standards to prevent the misuse of virtual assets for money laundering and terrorist financing. In recent years, some countries have started to regulate the sector, while others have prohibited virtual assets altogether.
However, the majority of countries are yet to implement effective regulations. These gaps in the global regulatory system have created significant loopholes that can be exploited by criminals, terrorists and rogue regimes.
Taking effective action
Countries need to fully and effectively implement the FATF’s Standards for virtual assets as a priority. At the same time, virtual asset providers need to carry out the same preventive measures as financial institutions, such as customer due diligence (CDD), record keeping and suspicious transaction reporting (STR). This will ensure transparency of virtual asset transactions and keep funds with links to crime and terrorism out of the cryptosphere.
Many virtual asset service providers are perceived as ‘risky business’ and denied access to bank accounts and other regular financial services.
While there have been technical challenges to implementing the FATF’s requirements in the sector, they will ultimately increase trust in blockchain technology
The effective global implementation of these standards by all countries will ensure virtual asset technologies and businesses can continue to grow and innovate in a responsible way, and it will create a level playing field. It will prevent criminals or terrorists seeking out and exploiting jurisdictions with weak or no supervision.
Compliance with the FATF Standards
Key findings in the FATF’s report include:
- In total, 75% of 98 jurisdictions remain partially or not compliant with the FATF’s requirements.
- Furthermore, 34% of 151 survey respondents on R.15 implementation have not conducted a risk assessment.
- Almost the same number have not yet decided if and how to regulate the VASP sector.
- Results of mutual evaluation and follow-up reports show that 73% – 71 of 98 jurisdictions – are not conducting adequate risk assessments.
- More than 50% of the respondents – excluding those that prohibit VASPs – have taken no steps towards Travel Rule implementation.
- Among those who have, supervision and enforcement is low with only 21% having issued findings, directives or taken enforcement or supervisory actions.
Extended definition of VAs and VASPs
The Guidance increases its scope to include new types of digital assets and providers of certain services in these assets as VAs and VASPs, effectively leading to a situation where no financial asset will be interpreted as falling entirely outside the FATF Standards.
If non-fungible tokens (NFTs) are to be considered as VAs, this should be determined on a case-by-case basis.
A decentralized finance (DeFi) application (i.e., a software program) is not a VASP, as the FATF Standards do not apply to underlying software or technology. However, creators, owners and operators, or other persons who maintain control or sufficient influence over DeFi arrangements may fall under the FATF definition of a VASP if they provide or actively facilitate VASP services.
How do FATF standards apply to stablecoins?
If stablecoin arrangements have a central developer or governance body, they will generally be covered by the FATF standards either as a FI or a VASP.
Therefore, such bodies should undertake ML/TF risk assessments before the launch or use of the stablecoin, and take appropriate measures to manage and mitigate risks across the arrangement before launch.
Countries should carefully consider the risks posed by stablecoins that lack such a readily identified central body and the need for mitigation measures, especially those recommended for P2P transactions.
Additionally, this does not only apply to software code developers, but rather the persons involved in stablecoin arrangements that provide financial services covered by the VASP definition. A range of other entities in the stablecoin arrangement may also have AML/CFT obligations, such as exchanges or custodial wallet services.
Particular concern with stablecoins highlighted by the FATF is their potential for mass-adoption, which could heighten ML/TF risks.
P2P transactions currently out of reach
P2P transactions are not explicitly subject to AML/CFT controls under the FATF standards. This is because the FATF Standards generally place obligations on intermediaries (“obliged entities”), rather than on individuals themselves.
Illicit actors could exploit this to obscure the proceeds of crime because there is no obliged entity carrying out the core functions of the FATF Standards, such as CDD and suspicious transaction reports (STRs).
For this reason, FATF urges for ML/TF risks related to P2P transactions to be monitored by countries and VASPs in an ongoing and forward-looking manner (especially if there is a clear trend of increasing P2P transactions to the point that illicit activity was occurring to a “significant degree”). The Guidance now provide a set of measures that countries should consider to mitigate these risks at a national level.
Smart contracts and the struggle to define a VASP
Using an automated process like a smart contract to carry out VASP functions does not relieve the part(ies) of their VASP obligations and responsibilities.
In these instances, controlling parties that qualify as VASPs should undertake ML/TF risk assessments before the platform is launched or used and take appropriate measures to mitigate risks.
However, it can be challenging in certain circumstances to identify which entities are VASPs and define their regulatory perimeter.
When there is a need to assess a particular entity to determine whether it is a VASP or evaluate a business model where the VASP status is unclear, the Guidance provides a few general questions that can help supervisors guide the answer (such as who profits from the use of the service, who established the rules and can change them, who can shut down the product or service etc).
Which VASPs should be licensed or registered?
Countries should designate one or more authorities responsible for licensing and/or registering VASPs, either by including VASPs into an existing licensing regime or creating a new one.
VASPs should be required to be licensed or registered in the jurisdiction where they are created. This could prove challenging to determine if a VASP is a natural person.
While not required by the FATF standards, host countries may also require VASPs that offer products and/or services to customers in, or that conduct operations from, their jurisdiction to be licensed or registered in the jurisdiction. The Guidance provides a set of criteria to help identify when services are considered to be provided on a cross-border basis.
A country does not need to impose a separate licensing or registration system for VASPs regarding already licensed FIs within that country.
Travel Rule Implementation Remains Problematic
Specifically for the Travel Rule, while the private sector now offers a range of technological tools, they generally do not fully comply with all of the FATF’s Travel Rule requirements.
The FATF identified two key challenges facing such tools – compliance with the FATF Travel Rule requirements and friction due to the lack of interoperability between different solutions.
However, it must be noted that the uneven pace of adoption across different jurisdictions that VASPs may operate in – a problem identified by the FATF itself – compounds the challenges faced by the private sector.
Examples of shortcomings that the FATF highlighted include:
- The tools only permit the transmission of transaction ID instead of the originator’s wallet address.
- The tools do not require the VASP to send information immediately or before the transaction is executed.
- The tools are unable to transmit transaction information for all types of VAs and/or transactions of any amount.
- The tools do not permit the downloading or retention of transmitted information for recordkeeping or transaction monitoring.
- The tools do not enable a VASP to locate a counterparty VASP for all VA transfers and provide a communication channel for due diligence.
The FATF report also included useful guiding questions for VASPs and jurisdictions to engage with Travel Rule solution providers.
New and Recurrent Emerging Risks
In terms of emerging risks, the threat posed by the Democratic People’s Republic of Korea (DPRK’s) illicit blockchain activities for proliferation and terrorist financing (PF/TF) received top billing.
The FATF highlighted a March 2023 report by the UN Panel of Experts for North Korea on funding streams for DPRK that include cyber-enabled heists from VASPs to generate revenue for its unlawful WMD and ballistic missile programs.
Significantly, “a higher value of [virtual] assets was stolen by [DPRK] actors in 2022 than in any previous year” – findings supported by Elliptic’s own analysis.
Other sanctioned groups such as ISIS, Al-Qaeda and affiliates are also shifting towards the use of VAs, including anonymity-enhanced coins, for terrorist financing. In addition, VAs are increasingly used as a typology via crowdfunding platforms for the financing of extreme right-wing terrorism.
Emerging risks that reappear in this year’s report from last year include:
- Decentralized finance (DeFi) – jurisdictions face difficulties in identifying regulated entities in DeFi arrangements and determining whether they qualify as VASPs.
- Unhosted wallets (including peer-to-peer transactions) – most respondents have not yet evaluated the specific risks posed by unhosted wallets or P2P transactions.
- Non-fungible tokens (NFTs) and stablecoins.
The focus on PF/TF risks in VAs is not surprising, given that it was mentioned during an April private sector engagement session organised by the FATF. Nonetheless, this underlines the urgency for jurisdictions and the private sector to tackle this issue through proper identification and mitigation measures.
Edited by Oleg Parashchak