The Financial Action Task Force (FATF), an intergovernmental organization that develops policy recommendations for the prevention of anti-money laundering (AML) and combatting the financing of terrorism (CFT), released updated guidance on virtual assets (VAs) and virtual asset service providers (VASPs). This follows a 12-month review period after FAFT’s initial publication of recommendations. While the FATF is an extra-legal, non-governmental organization, its recommendations often influence local regulations.
With the current update, the FATF seeks to clarify definitions of VAs and VASPs, as well as provide guidance on stablecoins, peer-to-peer transaction risk mitigation, and compliance with the travel rule. In addition, the document outlines best practices for information sharing and cross-border collaboration amongst VASP supervisors.
Key updates include:
Expansive definition of virtual assets:
The guidance defines virtual assets broadly, including any digital tokens that can be issued, traded, or transferred outside of a closed-loop system. Thus, for example, airline miles and credit card points are excluded, but governance tokens issued by decentralized blockchain protocols that can be traded on exchanges are included, regardless of their marketed definition or stated utility function.
Expansive definition of VASPs to include DeFi:
VASPs are also defined broadly, including entities that facilitate any aspect of a financial transaction between virtual assets or between virtual assets and fiat currency. Importantly, decentralized finance (DeFi) protocols and applications (i.e., DApps) are included, along with multi-signature wallets. The guidance specifies that its recommendations do not cover technology but rather entities and legal persons facilitating financial services with such technologies.
Stablecoin providers are included as VASPs:
The recommendations note that entities issuing or providing financial services around stablecoins will invariably be considered VASPs (if not otherwise regulated as financial institutions) and thus have AML and CFT obligations.
Expanded data collection and record-keeping obligations of VASPs:
The guidance notes that “VASPs have customer due diligence obligations at time of onboarding and on an ongoing basis,” recommending a lower bound of USD/EUR 1000 as the threshold triggering expanded data collection obligations for “occasional transactions” (rather than the current recommended threshold of USD/EUR 15000). While the guidance notes the privacy risk associated with increased data collection, it suggests that reliance on public blockchain data alone is insufficient unless coupled with data tied to legal persons.
Increased scrutiny on VASPs that engage with unhosted wallets:
While unhosted wallets fall outside of the scope of supervisory definition recommended by FATF, the guidance suggests that VASPs which enable their customers to transact with unhosted wallets could be subject to enhanced supervision, even to the point of being denied licenses if their risk mitigation activities are not deemed sufficient.
Travel rule obligations of VASPs:
The guidance notes that travel rule guidelines apply to VASPs as they do to traditional financial institutions, specifying a number of data elements that must be collected and retained by both originating and beneficiary VASPs party to a transaction.
The guidance demonstrates an attempt to stay on top of rapid developments within the DeFi space, largely focusing on closing the KYC/AML loopholes created by decentralized apps and protocols, which account for billions of dollars of daily market activity. In practice, defining VASPs precisely in the context of decentralized finance and enforcing corresponding obligations may be difficult to implement.
For example, a strict reading of the guidance would categorize the following entities as VASPs with corresponding AML/CFT obligations:
Any entity that issues a stablecoin, even if it does not offer additional financial services in relation to that stablecoin
Digital asset custodians, even if they do not retain full control of wallets due to multi-signature technologies
Majority holders of certain DeFi protocol tokens
Technology companies that raised venture capital funding through a one-time token issuance
Developer teams that developed, marketed, and launched an autonomous platform even after relinquishing control of the operations and governance of the platform
There are practical issues with how to regulate activities that are facilitated on an ongoing basis by software, rather than individuals or entities. Furthermore, industry is likely to push back on certain data-collection recommendations based on the increased costs of compliance (due to increased false positives) and the corresponding data privacy/ unauthorized surveillance risks. These issues will likely play out in policy deliberations between industry and supervisory authorities over the next several years.
How Guidehouse Can Help
Guidehouse can help financial institutions and VASPs assess their compliance programs in light of current regulatory guidance and potential policy changes forecasted by the above FATF recommendations. This includes developing and implementing updates to operations, policies, procedures, controls, technology, and information sharing practices. Furthermore, Guidehouse can conduct counterparty risk assessment to determine risk of doing business with entities that may be characterized as VASPs but have not addressed their own areas of compliance weakness.
Our areas of relevant expertise include the following:
Vendor sourcing and governance
Guidehouse can review and assess your compliance and risk program to determine whether it is sound, identify gaps or weaknesses, or conduct training on AML and Sanctions compliance, including blockchain tracing and analytics. Guidehouse is well-equipped to make an individualized assessment of your unique circumstances and offer innovative advice and solutions for responding to changing regulatory requirements.