The Financial Action Task Force (FATF) first began weighing in on Cryptocurrency and Virtual Assets in June, 2014.  In 2015 the FATF’s guidance was focused on the interfaces between fiat currency and virtual currency. Since that time, the FATF and its 39 member countries have evolved their approach to Virtual Assets (VAs).  With the release of its June, 2019, Guidance For a Risk-Based Approached:  Virtual Assets and Virtual Asset Service Providers, the FATF has adopted a like-for-like approach to regulations with virtual assets.  Virtual Asset Service Providers (VASPs) must comply with the same regulations as traditional Financial Institutions.

To that end, the FATF has provided detailed guidance defining virtual assets, virtual asset service providers, and how regulations should apply.  While cryptocurrency is included under the umbrella of virtual assets, the definition is not limited to cryptocurrency. virtual assets are digital representations of value “that can be digitally traded or transferred and can be used for payment or investment purposes.” (pg. 13)  It is important to note that virtual assets do not include digital representations of fiat currency or securities and also do not include closed-loop systems such as airline miles, credit card awards, or other loyalty point systems. (pg 17)

Virtual asset service providers include any business that conduct one or more of the following activities: (pg 13-14)

1. Exchange between virtual assets and fiat currencies;
2. Exchange between one or more forms of virtual assets;
3. Transfer of virtual assets;
4. Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets;
5. Participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset. 

This includes businesses that maintain custody or control of a 3rd party’s funds or wallets, which includes virtual asset escrow services, online wallet services, and brokerage services, regardless of whether they are centralized or decentralized. The FATF makes some clear distinctions as to which types of businesses are required to follow industry-standard AML/KYC processes:

• Software and hardware providers of cryptocurrency wallets where the end-user stores and owns their private keys are not considered VASPs
• Manufacturers of Bitcoin ATMs are not VASPs, but the operators of those machines may be considered VASPs based on the limitation of the value of the transactions allowed.
• Decentralized Exchanges (DeX) may or may not be classified as a VASP depending on whether or not they facilitate trades.  If a DeX serves only as a message board or meeting place for offers and bids for trades where the trades take place outside of the system, the DeX is not a VASP.  If the DeX processes or facilitates the trade, it is a VASP and must comply with appropriate AML/KYC requirements.

Much of the June 2019 guidance is directed toward countries and their Financial Intelligence Units (FIUs).  The FATF maintains a perspective that due to the anonymity of users and the potential to obfuscate transaction flows, virtual assets pose greater money laundering and terrorist financing risk and therefore may require enhanced due diligence and additional regulatory scrutiny.  This may be manifested as additional regulations for VAs and VASPs, but it also may include complete bans on VAs, VASPs, or both.

As part of the like-for-like approach that FATF has taken with VAs and VASPs, the FATF is recommending countries require VASPs to comply with the same rules including:

• Freezing funds associated with money laundering or terrorism;
• Confiscating funds or property that have been directly laundered, are the proceeds from financial crime, or have been used (or are intended to be used) for terrorist or terrorist financing;
• Requiring VASPs to be licensed and/or registered by appropriate regulatory bodies;
• Providing appropriate sanctions against VASPs that do not comply with AML/KYC policies;
• Requiring VASPs to submit Suspicious Activity Reports (SARs), Suspicious Transaction Reports (STRs), and CTRs (Currency Transaction Reports (CTRs);
• Providing monitoring of VASPs by regulatory bodies to ensure compliance with AML/KYC regulations;
• Maintaining transaction records;

In addition to these policies, the FATF and its member countries are recommending implementation of the “Travel Rule”, which requires VASPs to gather, simultaneously and securely, details on the originator and beneficiary of all transactions between two VASPs.  This includes names, wallet addresses, account numbers, physical addresses, national ID numbers, and other details that may be applicable such as device identifiers, IP addresses, and transaction hashes.  There is currently no mechanism in place for this information exchange between VASPs. For traditional, fiat currency, this information is included as part of the SWIFT message. As cryptocurrency transfers occur on the blockchain itself, these details cannot be sent as part of those messages.  This poses a significant challenge for the entire cryptocurrency industry. There must be a balance between reducing the risk of money laundering and terrorist financing and the open nature of cryptocurrency.

It is important to note that the FATF does not have regulatory power, nor can it implement any sanctions against countries that do not follow its guidance.  Only weeks after the FATF guidance, member states of the G20 met at the G20 Summit in Tokyo, Japan and agreed to implement these recommendations within a year and other countries are likely to follow suit. Additionally, the FATF’s guidance is only intended to address AML/KYC concerns, not issues of taxation (except for issues of tax evasion as per the AML4 directive), consumer protection, securities, banking, or commodities.

About iComply Investor Services Inc.
iComply Investor Services Inc. (iComply) is Regtech for Fintech, an award-winning software company focused on reducing regulatory friction in the digital finance. With powerful data, verification, tokenization solutions, iComply helps companies overcome the cost, complexity, and risks of multi-jurisdictional compliance in order to effectively access new markets. Learn more: iComplyIS.com

On May 9th, 2019, FinCEN released interpretive guidance on how existing regulations impact cryptocurrencies, which are referred to as Convertible Virtual Currencies.  While the “guidance does not establish any new regulatory expectations or requirements,” it does clarify existing regulations and the obligations of many crypto businesses.  

The guidance serves to explain which types of businesses must register as Money Services Businesses (MSBs) and thereby comply with FinCEN MSB regulations, including compliance with the Bank Secrecy Act  (BSA). Compliance with the BSA requires businesses to screen their customers, third party relationships, and transactions to mitigate money laundering or terrorist financing risk. These regulations also require the filing of Suspicious Activity Reports (SARs) and Currency Transaction Reports (CTRs) when those risks have been identified. The guidance does not however cover regulatory obligations associated with securities, commodities, taxes, or other possible government regulations which are managed by other government entities such as the SEC, OCC, CFTC, IRS, and others.

FinCEN’s policy on what constitutes an MSB is clear: “whether a person qualifies as an MSB subject to BSA regulation depends on the person’s activities and not its formal business status.”  Put more simply, it is the function of the business, not the form it takes or the name it is given.  The same policy applies to all types of currencies: money is considered “currency, funds, or other value that substitutes for currency.”

FinCEN has clarified that organizations that do business “in whole or in substantial part within the United States,” are subject to BSA regulations, even if they have no physical presence in the United States.  This will make it more difficult for companies headquartered overseas to skirt AML obligations if they are doing business in the US. However there are cases where an individual or business may not be subject to MSB requirements, and that is if they perform certain MSB activities, but do so infrequently and not for gain or profit.

Key Takeaways:

• Exchanges, whether crypto-to-crypto or fiat-to-crypto, must register as an MSB and comply with the BSA (including having a complete AML program and SAR/CTR reporting).
  
• Hosted Wallets must comply fully with BSA requirements.  Unhosted Wallet providers, such as deployed software or hardware wallets, are not required to comply with BSA and FinCEN AML requirements.
• Cryptocurrency ATM providers must comply with BSA and FinCEN AML requirements.
• DApps (decentralized apps such as Ethereum Smart Contracts) may or may not be required to comply with the BSA depending on whether the DApp performs money transmission (31 CFR § 1010.100(ff)(5)(i)(A)).
• Privacy Coins (zCash, Monero, etc.) and anonymization services (such as mixers or tumblers) must comply with BSA and FinCEN AML requirements.
• Cryptocurrency Payment Processors (also known as Fiat Gateways) do not qualify for the BSA exemptions provided to fiat payment processors as they may process payments from individual wallets, unlike fiat payment processors who only process payments from financial institutions through credit card payments or bank transfers.  Because of this, cryptocurrency payment processors must comply with BSA and FinCEN AML requirements.
• Decentralized Exchanges (DeX) do not need to comply with BSA and FinCEN AML requirements as long as the DeX does not facilitate the transfer of funds or hold any user funds.
• Mining Pools may have to comply with BSA and FinCEN AML requirements if the pool hosts the wallets that receive the proceeds of the mining.  If there is no wallet hosting provided by the mining pool, they most likely do not have to comply with BSA/AML requirements.
• Token Offerings (Initial Coin Offerings, Initial Exchange Offerings, Security Token Offerings, et al) provide the most complex scenarios for determining AML/BSA requirements.  Based on the organization type of the issuer, intermediary, or investor, the FinCEN obligations may align more closely with a bank, broker-dealer, futures commission merchant, commodity dealer, or mutual fund.  Each of these types of institutions have different AML/BSA requirements and will differ from those of an MSB.

Organizations issuing ICOs should work closely with trusted issuance vendors, accountants, and lawyers to determine the appropriate regulatory compliance based on the type of issuance and the potential investor pool.

While the guidance does clearly outline how the US Department of Treasury views many virtual asset business models, it does not cover all possible crypto businesses.  It is important to consider that just because a business does not fall neatly into one of the categories described does not mean it does not have FinCEN compliance obligations.  Where things may be unclear, the business should reach out to an experienced compliance lawyer or reach out directly to FinCEN.

Compliance obligations are not going away.  BSA requirements, including AML/KYC are a critical component of reducing crimes such as terrorist financing, money laundering, fraud, sexual exploitation, slavery, and many other crimes.  Financial institutions working with regulators are a critical component to reducing the impact of bad actors. As early movers in the industry that will one day take over traditional financial markets, it is critical for us to work together to ensure the solutions, businesses, and technology we build are creating a future we can look forward to living in. 

About the author: Greg Pinn, Head of Product Strategy at iComply Investor Services, has over a decade of experience leading global best practices in the anti-money laundering (AML) and know-your-customer (KYC) industry. Greg specializes in building industry leading products, including Thomson Reuter’s World-Check – now Refinitiv, to help financial institutions, both traditional and crypto, to scale operations, reduce risk and ensure compliance with global regulations. At iComply, Greg works to with industry leading virtual asset service providers to develop, build, and maintain best-in-class compliance programs.

About iComply Investor Services Inc.
iComply Investor Services Inc. (iComply) is an award-winning software company focused on reducing regulatory friction in financial markets. With powerful data, verification, and blockchain interface solutions, iComply helps companies overcome the cost and complexity of multi-jurisdictional compliance to effectively access new markets. Learn more: iComplyIS.com

During May 6-10, 2019, the FATF (Financial Action Task Force) held a private sector consultation on new AML policies related to “virtual assets” and “virtual asset service providers.” Representatives including regulators, financial intelligence units, financial institutions, and even a few blockchain companies provided both regulatory and industry insights on the proposed changes. As a regtech firm for fintechs, the iComply team provided a unique voice at the plenary, advocating on behalf of our clients and users. 

The FATF is the global oversight body for AML regulators around the world. In short, they regulate the regulators. The new FATF recommendations (specifically, 15 and 16) will impact how regulators define virtual assets, regulate virtual asset service providers, and enforce transaction-level audit trails. 

While the new FATF recommendations cover a much broader set of regulations, there are three key areas that will have the greatest impact on blockchain or cryptocurrency powered fintechs.

• The definition of “Virtual Assets” casts the net widely, covering nearly all fungible, purchasable, and tradable digital assets. The regulations of virtual assets will be viewed in the same way cash is today. Non-fungible assets, such as ERC721 tokens, in certain use cases, may present opportunities to avoid being caught under the virtual assets definition.
• The definition of “Virtual Asset Service Providers” (VASPs) encompasses any individual or corporation that holds virtual assets or the private keys to virtual assets on behalf of another party. Entities operating within the scope of a VASP today will need to review their core activities, such as promotion, distribution, custody, transfer, exchange, etc., for new reporting obligations. Interestingly, these new regulations may also drive the industry towards fully non-custodial Dex technology which was excluded from the policy discussions.
• Recommendation 15.7(b) was by far the most controversial and highly contested policy discussed at the event. While the requirements of R.15.7(b) may be easily solved with a wide variety of technologies, adopting any standard will require global industry collaboration; the primary solutions presented during the meetings present massive risk and liability in the areas of privacy and identity regulations ─ in addition to questions of power, control, privacy, and the use of personal information.

R.15.7(b) attempts to “copy and paste” funds-transfer regulation onto the transfers of digital assets. This would require any virtual asset service provider to report the beneficiary and originator of any virtual asset transfer—regardless of size or jurisdiction—through a database or data framework shared between the regulators and the market.

Aside from the new regulatory proposals, the plenary’s discussion focused on a much larger conversation: who determines the balance among privacy, digital identity, and market integrity regulations?

Some countries, such as the United States and Japan, showcased their own solutions for a centralized global data repository as presented by Verasign and Softbank, respectively. Here is a screenshot from one proposed solution, an “Equifax for virtual asset transactions”.

Big Data, Privacy, and Market Surveillance

Technically speaking, the ability to create a single, globally-centralized database housing the name, account number, home address, all wallet addresses, and the transaction number of every virtual transaction ever created is not difficult…until you get into the specifics of who has the power to control and access this data. 

More challenging than simply creating a global data repository is gaining market adoption. The virtual asset (a.k.a. cryptocurrency) industry has had difficulty with this to date. Threats of blockchain forks, or competitions over which chain best reflects the original vision of Satoshi Nakamoto, have created a fledgling industry full of tribal feudalism. 

Furthermore, establishing policies, best practices, or open source standards for maintaining the records of beneficial ownership and source of wealth for every cryptocurrency transaction opens a Pandora’s Box of questions regarding privacy, consent, GDPR, PIPA, and geopolitical power struggles. 

From cybersecurity, privacy, and data protection perspectives, handing over the power and control of both the identity and transactions of all public blockchains to a small handful of major corporations seems flawed from the start. While these honeypots of data are easy to create, they pose significant threats and potential harm to the trust and integrity of decentralized financial markets globally. 

Shared Standards and Interoperability

Luckily decentralized technology such as blockchain also presents viable solutions ─ many of which are already in use in the market today. Applied correctly, public blockchain technology can do a significantly better job of protecting the rights and privacy of a user while meeting AML obligations ─ provided the blockchain industry can agree on and implement a shared standard in time.

Simply using a public blockchain doesn’t prevent the ultimate aggregation of power and control if it is not done in an open, transparent, and decentralized manner. Solutions such as iComply’s Wallet Ownership Verification already address one part of the problem. Decentralized or self-sovereign identity solutions could solve other pieces, but they still leave significant gaps to fill.

All in all, the viability of public blockchains in regulated finance will come down to whether the industry can agree to establish and adopt standards for consent, privacy, and data sharing. As a leading regtech provider, and the only digital identity or asset tokenization solution invited to the FATF plenary, we at iComply considered it our duty to help raise awareness of the need for balanced regulations and enforcement policies that take a more holistic view of compliance; for example, how do we balance the requirements of R.15.7(b) with the requirements of MIFID, GDPR, or PIPA? 

Despite the challenges they present, these shifts in the regulatory fabric of global digital finance also present a number of exciting opportunities for the industry.

• Early Adopters who successfully implement the new requirements stand to gain market share and increased scalability, while their late-to-the-game competitors struggle to catch up. Since the dawn of the computer, advancements in technology have created new regulatory problems to tackle; and adopting a shared standard for interoperability has proven highly effective. Stock exchanges globally run on the FIX protocol, identity standards are benchmarked against the FIDO protocol, and the first 200 correspondent banks to adopt SWIFT set the global standard. While there remains much debate whether these new regulations are over-reaching, it is unlikely that this will reverse these new changes before the industry implements solutions.

     If you are interested in contributing to this conversation, contact us.

• Payment Services and Virtual Asset Exchanges will see several major changes to how they operate, with significant variations in reporting requirements or regulatory oversight by jurisdiction. This gets even more complex where an exchange is engaged in the issuance of utility or security tokens. The silver lining to these businesses is that compliance with these new regulatory requirements is one of the final technological hurdles for blockchain-powered exchanges and payments businesses to enter into the more lucrative institutional markets. 

• Wallet Providers will be significantly more complex, with factors such as whether the wallet is “hosted” or “non-hosted”. Within hours of moving the FATF regulations forward, FinCEN—the United States FIU (Financial Intelligence Unit)—published their guidance on the “Application of FinCEN’s Regulations to Certain Business Models Involving Convertible Virtual Currencies“. FinCEN’s guidance is closely tied to the new FATF definitions, and wallet providers can expect most of the regulators in the G20 to follow suit.

• OTC Brokers and Trading Desks, including individuals facilitating OTC transactions, will be impacted significantly by the new compliance requirements these regulations will have on daily operations. However, in our conversations with iComply clients and partners who operate in the OTC market, the adoption of technology to meet regulatory requirements presents a larger opportunity, as the disclosure of beneficiary and originator data on an OTC transaction will remove significant instances of fraud, lost deals, and shady OTC agents throughout the industry as a whole. 
  

While the new regulations will see some variations as each jurisdiction begins implementing these AML requirements, iComply is dedicated to supporting our clients and partners as we navigate these changes.

Many fintech businesses now have questions about how these new regulations may impact their compliance program, competitive position, or ability to scale their business in the face of these new requirements. 

Click here to speak with an iComply representative if your business is interested in joining the discussion of virtual asset regulation, or if you have questions on how your business can best position itself to achieve compliance in an evolving regulatory landscape.

About iComply Investor Services Inc.
iComply Investor Services Inc. (iComply) is Regtech for Fintech, an award-winning software company focused on reducing regulatory friction in the digital finance. With powerful data, verification, tokenization solutions, iComply helps companies overcome the cost, complexity, and risks of multi-jurisdictional compliance in order to effectively access new markets. Learn more: iComplyIS.com