The Financial Action Task Force (FATF) first began weighing in on Cryptocurrency and Virtual Assets in June, 2014. In 2015 the FATF’s guidance was focused on the interfaces between fiat currency and virtual currency. Since that time, the FATF and its 39 member countries have evolved their approach to Virtual Assets (VAs). With the release of its June, 2019, Guidance For a Risk-Based Approached: Virtual Assets and Virtual Asset Service Providers, the FATF has adopted a like-for-like approach to regulations with virtual assets. Virtual Asset Service Providers (VASPs) must comply with the same regulations as traditional Financial Institutions.
To that end, the FATF has provided detailed guidance defining virtual assets, virtual asset service providers, and how regulations should apply. While cryptocurrency is included under the umbrella of virtual assets, the definition is not limited to cryptocurrency. virtual assets are digital representations of value “that can be digitally traded or transferred and can be used for payment or investment purposes.” (pg. 13) It is important to note that virtual assets do not include digital representations of fiat currency or securities and also do not include closed-loop systems such as airline miles, credit card awards, or other loyalty point systems. (pg 17)
Virtual asset service providers include any business that conduct one or more of the following activities: (pg 13-14)
- Exchange between virtual assets and fiat currencies;
- Exchange between one or more forms of virtual assets;
- Transfer of virtual assets;
- Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets;
- Participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.
This includes businesses that maintain custody or control of a 3rd party’s funds or wallets, which includes virtual asset escrow services, online wallet services, and brokerage services, regardless of whether they are centralized or decentralized. The FATF makes some clear distinctions as to which types of businesses are required to follow industry-standard AML/KYC processes:
- Software and hardware providers of cryptocurrency wallets where the end-user stores and owns their private keys are not considered VASPs
- Manufacturers of Bitcoin ATMs are not VASPs, but the operators of those machines may be considered VASPs based on the limitation of the value of the transactions allowed.
- Decentralized Exchanges (DeX) may or may not be classified as a VASP depending on whether or not they facilitate trades. If a DeX serves only as a message board or meeting place for offers and bids for trades where the trades take place outside of the system, the DeX is not a VASP. If the DeX processes or facilitates the trade, it is a VASP and must comply with appropriate AML/KYC requirements.
Much of the June 2019 guidance is directed toward countries and their Financial Intelligence Units (FIUs). The FATF maintains a perspective that due to the anonymity of users and the potential to obfuscate transaction flows, virtual assets pose greater money laundering and terrorist financing risk and therefore may require enhanced due diligence and additional regulatory scrutiny. This may be manifested as additional regulations for VAs and VASPs, but it also may include complete bans on VAs, VASPs, or both.
As part of the like-for-like approach that FATF has taken with VAs and VASPs, the FATF is recommending countries require VASPs to comply with the same rules including:
- Freezing funds associated with money laundering or terrorism;
- Confiscating funds or property that have been directly laundered, are the proceeds from financial crime, or have been used (or are intended to be used) for terrorist or terrorist financing;
- Requiring VASPs to be licensed and/or registered by appropriate regulatory bodies;
- Providing appropriate sanctions against VASPs that do not comply with AML/KYC policies;
- Requiring VASPs to submit Suspicious Activity Reports (SARs), Suspicious Transaction Reports (STRs), and CTRs (Currency Transaction Reports (CTRs);
- Providing monitoring of VASPs by regulatory bodies to ensure compliance with AML/KYC regulations;
- Maintaining transaction records;
In addition to these policies, the FATF and its member countries are recommending implementation of the “Travel Rule”, which requires VASPs to gather, simultaneously and securely, details on the originator and beneficiary of all transactions between two VASPs. This includes names, wallet addresses, account numbers, physical addresses, national ID numbers, and other details that may be applicable such as device identifiers, IP addresses, and transaction hashes. There is currently no mechanism in place for this information exchange between VASPs. For traditional, fiat currency, this information is included as part of the SWIFT message. As cryptocurrency transfers occur on the blockchain itself, these details cannot be sent as part of those messages. This poses a significant challenge for the entire cryptocurrency industry. There must be a balance between reducing the risk of money laundering and terrorist financing and the open nature of cryptocurrency.
It is important to note that the FATF does not have regulatory power, nor can it implement any sanctions against countries that do not follow its guidance. Only weeks after the FATF guidance, member states of the G20 met at the G20 Summit in Tokyo, Japan and agreed to implement these recommendations within a year and other countries are likely to follow suit. Additionally, the FATF’s guidance is only intended to address AML/KYC concerns, not issues of taxation (except for issues of tax evasion as per the AML4 directive), consumer protection, securities, banking, or commodities.
About iComply Investor Services Inc.
iComply Investor Services Inc. (iComply) is Regtech for Fintech, an award-winning software company focused on reducing regulatory friction in the digital finance. With powerful data, verification, tokenization solutions, iComply helps companies overcome the cost, complexity, and risks of multi-jurisdictional compliance in order to effectively access new markets. Learn more: iComplyIS.com
GDPR and Your Verification Solutions: Ensuring Compliance and Data Security
GDPR and Your Verification Solutions: Ensuring Compliance and Data Security The General Data Protection Regulation (GDPR) has significant implications for how financial and legal service providers handle personal data during client onboarding. While KYC/AML...
Ensuring Data Privacy in KYC Compliance: Key Steps and Best Practices
Data privacy compliance is a critical aspect of operating in today's digital landscape. Protecting personal data and adhering to regulatory requirements helps build trust with customers and avoid legal repercussions. Implementing...
Understanding the General Data Protection Regulation (GDPR) for Business Compliance
The General Data Protection Regulation (GDPR) is a comprehensive data protection law that impacts businesses operating within the European Union (EU) and those handling EU citizens' data. Ensuring compliance with GDPR is crucial...