Login
Contact Sales
Login
CONTACT SALES

FATF Guidance For a Risk-Based Approached: Virtual Assets and Virtual Asset Service Providers

by | Jun 24, 2019 | Compliance Updates, iComply Insights

The Financial Action Task Force (FATF) first began weighing in on Cryptocurrency and Virtual Assets in June, 2014.  In 2015 the FATF’s guidance was focused on the interfaces between fiat currency and virtual currency. Since that time, the FATF and its 39 member countries have evolved their approach to Virtual Assets (VAs).  With the release of its June, 2019, Guidance For a Risk-Based Approached:  Virtual Assets and Virtual Asset Service Providers, the FATF has adopted a like-for-like approach to regulations with virtual assets.  Virtual Asset Service Providers (VASPs) must comply with the same regulations as traditional Financial Institutions.

To that end, the FATF has provided detailed guidance defining virtual assets, virtual asset service providers, and how regulations should apply.  While cryptocurrency is included under the umbrella of virtual assets, the definition is not limited to cryptocurrency. virtual assets are digital representations of value “that can be digitally traded or transferred and can be used for payment or investment purposes.” (pg. 13)  It is important to note that virtual assets do not include digital representations of fiat currency or securities and also do not include closed-loop systems such as airline miles, credit card awards, or other loyalty point systems. (pg 17)

Virtual asset service providers include any business that conduct one or more of the following activities: (pg 13-14)

  1. Exchange between virtual assets and fiat currencies;
  2. Exchange between one or more forms of virtual assets;
  3. Transfer of virtual assets;
  4. Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets;
  5. Participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset. 

This includes businesses that maintain custody or control of a 3rd party’s funds or wallets, which includes virtual asset escrow services, online wallet services, and brokerage services, regardless of whether they are centralized or decentralized. The FATF makes some clear distinctions as to which types of businesses are required to follow industry-standard AML/KYC processes:

  • Software and hardware providers of cryptocurrency wallets where the end-user stores and owns their private keys are not considered VASPs
  • Manufacturers of Bitcoin ATMs are not VASPs, but the operators of those machines may be considered VASPs based on the limitation of the value of the transactions allowed.
  • Decentralized Exchanges (DeX) may or may not be classified as a VASP depending on whether or not they facilitate trades.  If a DeX serves only as a message board or meeting place for offers and bids for trades where the trades take place outside of the system, the DeX is not a VASP.  If the DeX processes or facilitates the trade, it is a VASP and must comply with appropriate AML/KYC requirements.

Much of the June 2019 guidance is directed toward countries and their Financial Intelligence Units (FIUs).  The FATF maintains a perspective that due to the anonymity of users and the potential to obfuscate transaction flows, virtual assets pose greater money laundering and terrorist financing risk and therefore may require enhanced due diligence and additional regulatory scrutiny.  This may be manifested as additional regulations for VAs and VASPs, but it also may include complete bans on VAs, VASPs, or both.

As part of the like-for-like approach that FATF has taken with VAs and VASPs, the FATF is recommending countries require VASPs to comply with the same rules including:

  • Freezing funds associated with money laundering or terrorism;
  • Confiscating funds or property that have been directly laundered, are the proceeds from financial crime, or have been used (or are intended to be used) for terrorist or terrorist financing;
  • Requiring VASPs to be licensed and/or registered by appropriate regulatory bodies;
  • Providing appropriate sanctions against VASPs that do not comply with AML/KYC policies;
  • Requiring VASPs to submit Suspicious Activity Reports (SARs), Suspicious Transaction Reports (STRs), and CTRs (Currency Transaction Reports (CTRs);
  • Providing monitoring of VASPs by regulatory bodies to ensure compliance with AML/KYC regulations;
  • Maintaining transaction records;

In addition to these policies, the FATF and its member countries are recommending implementation of the Travel Rule, which requires VASPs to gather, simultaneously and securely, details on the originator and beneficiary of all transactions between two VASPs.  This includes names, wallet addresses, account numbers, physical addresses, national ID numbers, and other details that may be applicable such as device identifiers, IP addresses, and transaction hashes.  There is currently no mechanism in place for this information exchange between VASPs. For traditional, fiat currency, this information is included as part of the SWIFT message. As cryptocurrency transfers occur on the blockchain itself, these details cannot be sent as part of those messages.  This poses a significant challenge for the entire cryptocurrency industry. There must be a balance between reducing the risk of money laundering and terrorist financing and the open nature of cryptocurrency.

It is important to note that the FATF does not have regulatory power, nor can it implement any sanctions against countries that do not follow its guidance.  Only weeks after the FATF guidance, member states of the G20 met at the G20 Summit in Tokyo, Japan and agreed to implement these recommendations within a year and other countries are likely to follow suit. Additionally, the FATF’s guidance is only intended to address AML/KYC concerns, not issues of taxation (except for issues of tax evasion as per the AML4 directive), consumer protection, securities, banking, or commodities.

About iComply Investor Services Inc.
iComply Investor Services Inc. (iComply) is Regtech for Fintech, an award-winning software company focused on reducing regulatory friction in the digital finance. With powerful data, verification, tokenization solutions, iComply helps companies overcome the cost, complexity, and risks of multi-jurisdictional compliance in order to effectively access new markets. Learn more: iComplyIS.com

2025 Outlook: Data Privacy and Security in KYB, KYC, AML Compliance
2025 Outlook: Data Privacy and Security in KYB, KYC, AML Compliance

Jan 5, 2025

In today’s rapidly changing digital landscape, data privacy and security are more crucial than ever for compliance teams. As regulations tighten and cyber threats evolve, businesses must prioritize innovative solutions. Enter edge computing, a game-changer for KYC,...

Vaidyanathan Chandrashekhar

Vaidyanathan Chandrashekhar

Advisors

“Chandy,” is a technology and risk expert with executive experience at Boston Consulting Group, Citi, and PwC. With over two decades in financial services, digital transformation, and enterprise risk, he advises iComply on scalable compliance infrastructure for global markets.
Thomas Linder

Thomas Linder

Advisors

Thomas is a global tax and compliance expert with deep specialization in digital assets, blockchain, and tokenization. As a partner at MME Legal | Tax | Compliance, he advises iComply on regulatory strategy, cross-border compliance, and digital finance innovation.
Thomas Hardjono

Thomas Hardjono

Advisors

Thomas is a renowned identity and cybersecurity expert, serving as CTO of Connection Science at MIT. With deep expertise in decentralized identity, zero trust, and secure data exchange, he advises iComply on cutting-edge technology and privacy-first compliance architecture.
Rodney Dobson

Rodney Dobson

Advisors

Rodney is the former President of ADP Canada and international executive with over two decades of leadership in global HR and enterprise technology. He advises iComply with deep expertise in international service delivery, M&A, and scaling high-growth operations across regulated markets.
Praveen Mandal

Praveen Mandal

Advisors

Praveen is a serial entrepreneur and technology innovator, known for leadership roles at Lucent Bell Labs, ChargePoint, and the Stanford Linear Accelerator. He advises iComply on advanced computing, scalable infrastructure, and the intersection of AI, energy, and compliance tech.
Paul Childerhose

Paul Childerhose

Advisors

Paul is a Canadian RegTech leader and founder of Maple Peak Group, with extensive experience in financial services compliance, AML, and digital transformation. He advises iComply on regulatory alignment, operational strategy, and scaling compliance programs in complex markets.
John Engle

John Engle

Advisors

John is a seasoned business executive with senior leadership experience at CIBC, UBS, and Accenture. With deep expertise in investment banking, private equity, and digital transformation, he advises iComply on strategic growth, partnerships, and global market expansion.
Jeff Bandman

Jeff Bandman

Advisors

Jeff is a former CFTC official and globally recognized expert in financial regulation, fintech, and digital assets. As founder of Bandman Advisors, he brings deep insight into regulatory policy, market infrastructure, and innovation to guide iComply’s global compliance strategy.
Greg Pearlman

Greg Pearlman

Advisors

Greg is a seasoned investment banker with over 35 years of experience, including leadership roles at BMO Capital Markets, Morgan Stanley, and Citigroup. Greg brings deep expertise in financial strategy and growth to support iComply's expansion in the RegTech sector.
Deven Sharma

Deven Sharma

Advisors

Deven is the former President of S&P and a globally respected authority in risk, data, and capital markets. With decades of leadership across financial services and tech, he advises iComply on strategic growth, governance, and the future of trusted data in AML compliance.