In October 2021, the Financial Action Task Force (FATF) published an updated Guidance for a Risk-Based Approach for Virtual Assets (VAs) and Virtual Asset Service Providers (VASPs). The Guidance is part of the FATF’s ongoing monitoring of the VAs and VASPs sector and further explains how the FATF’s Recommendations should apply to them.
A risk-based approach (RBA) means that countries, competent authorities, financial institutions and VASPs need to identify, assess and understand the money laundering (ML) and terrorism financing (TF) risks to which they are exposed. These entities also need to take appropriate mitigation measures according to the level of risk: usually, lower risk requires less strict measures and higher risk demands stricter actions.
On the one hand, the Guidance acknowledges that new technologies, products and related services have the potential to foster financial innovation, efficiency and improve financial inclusion. On the other hand, they may create new opportunities for criminals and terrorists to launder their crime proceeds or finance their illicit activities. To address these issues, the Guidance focuses on six key areas:
1. Clarification of the definitions of VA and VASP;
2. How the FATF standards apply to stablecoins;
3. Risks and tools available to countries to address ML/TF risks to peer-to-peer (P2P) transactions;
4. Guidelines on the licensing and registration of VASPs;
5. Additional guidance for the public and private sectors about the implementation of the “travel rule”;
6. Principles of information-sharing and cooperation amongst VASP Supervisors;
The FATF Recommendations state that “a virtual asset is a digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes”. A VASP, by its turn, refers to any natural or legal person not covered elsewhere under the Recommendations that, as a business, conducts one or more of these activities for another natural or legal person:
a) The exchange between virtual assets and fiat currencies;
b) The exchange between virtual assets;
c) Transfer of virtual assets;
d) Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets;
e) Participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset;
Concerning stablecoins, the FATF reaffirmed the statements on its G20 report that a stablecoin is covered by the Standards as either a VA or a financial asset depending on its exact nature and the regulatory regime in a country. In addition to that, the Guidance clarified that a range of entities involved in stablecoin trading could be deemed as VASPs or a financial institution (FI) under the FATF Standards. Finally, the Guidance presents a hypothetical case study of a stablecoin arrangement and the application of the Standards for that case.
According to the FATF’s definition, P2P transactions are VA transfers conducted without use or involvement of a VASP or other obliged entity. It is also worthy to note that P2P transactions are not explicitly subject to AML/CTF controls under the Standards because they usually exercise control over the intermediaries rather than on the individuals.
Concerning the risks related to P2P transactions, the Guidance states that illicit actors may exploit the lack of an obliged intermediary to layer their crime proceeds precisely because there is no entity obligated to conduct Know Your Customer (KYC), Client Due Diligence (CDD) and AML/CTF checks. Regarding the tools and measures that countries may employ to mitigate the risks arising from P2P transactions, the Guidance presents them in paragraphs 105 and 106.
The Guidance was updated to clarify that the FATF Standards apply to VASPs and other obliged entities that provide VA activities. In Part Four, the Guidance included references to:
a) Correspondent banking and other similar relationships;
b) Technological solutions that may enable VASPs to comply with the travel rule;
c) Counterparty VASP identification and CDD;
d) VA transfers to and from unhosted wallets;
e) Key red-flag indicators for VAs;
Regarding the travel rule, VASPs must comply with the requirements provided for in Recommendation 16: the obligation to obtain, hold and submit information about the originator and beneficiary of VA transfers in order to identify and report suspicious transactions, take freezing actions and prohibit transactions with designated persons and entities. Additionally, these requirements should apply to both VASPs and obliged entities when they transfer VAs on behalf of a customer.
Finally, the Guidance provided for the principles of information sharing and cooperation amongst VASPs supervisors. These principles are non-binding and applicable to all countries whether they permit or prohibit VASPs: identification of supervisors and VASPs, information exchange and cooperation.
To conclude, the Guidance is an important step towards the fair regulation of VAs and VASPs. By proposing a broader definition of VA and VASP, urging countries to accommodate technological advancements and innovative business models, and establishing a risk-based approach to emerging technologies, the FATF continues to play an important role in the AML/CTF regulatory framework.