The Financial Action Task Force (FATF), the inter-governmental body that sets international standards for anti-money laundering (AML) and countering the financing of terrorism (CFT), released a highly anticipated interpretive note and guidance on June 21, 2019, “Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers” (the Guidance), clarifying the application of its 40 Recommendations to virtual assets (VAs) and virtual asset service providers (VASPs). The Guidance, which builds on steps FATF has taken over several years toward setting international AML/CFT standards for the virtual currency sector, broadly recommends that countries require VASPs to comply with the same AML/CFT requirements as traditional financial institutions.
FATF’s Standards for Virtual Assets: Years in the Making
Since its establishment in 1989, FATF has developed a series of Recommendations, together with related interpretive notes and guidance, outlining the AML/CFT measures that FATF recommends countries implement.[1] The most recent version of the Recommendations was published in February 2012. The FATF standards are not binding law; FATF expects its members to implement the FATF standards into law on a national level, and it periodically conducts peer reviews of its members’ progress in implementing those standards.
February 2012 Recommendations. In 2012, FATF revised its Recommendations to introduce Recommendation 15, “New technologies,” which provides: “Countries and financial institutions should identify and assess the money laundering or terrorist financing risks that may arise in relation to (a) the development of new products and new business practices, including new delivery mechanisms, and (b) the use of new or developing technologies for both new and pre-existing products.” At the time, this Recommendation did not explicitly refer to virtual currency.
June 2014 Report. FATF published a report in June 2014 that outlined potential AML/CFT risks associated with virtual currencies, including (1) limited identification and verification of participants; (2) lack of clarity regarding responsibility for AML/CFT compliance, supervision and enforcement; and (3) lack of a central oversight body. The report distinguished between “convertible virtual currency,” which can be exchanged for fiat currency or other virtual currencies, and “non-convertible virtual currency,” which cannot be exchanged for fiat currency. The report asserted that convertible virtual currencies are potentially vulnerable to AML/CFT risks.
June 2015 Guidance. In June 2015, FATF published guidance entitled “Guidance for a Risk-Based Approach: Virtual Currencies,” which outlined risk-based standards for addressing AML/CFT risks associated with virtual currency. Consistent with the 2014 report’s assessment that convertible virtual currency presents greater AML/CFT risk than non-convertible virtual currency, the 2015 guidance primarily focused on convertible virtual currency and “convertible virtual currency exchangers,” which it defined as “points of intersection that provide gateways to the regulated financial system (where convertible [virtual currency] activities intersect with the regulated fiat currency financial system).”
October 2018 Amendment to FATF Recommendations. In October 2018, FATF adopted new definitions of the terms VA and VASP and amended Recommendation 15 to clarify its application to activities or operations involving VAs and VASPs. Importantly, with this amendment, FATF also clarified that its standards apply to non-convertible virtual currency transactions in addition to convertible virtual currency transactions.
The October 2018 amendment defined VA as “a digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes,” but not “digital representations of fiat currencies, securities and other financial assets that are already covered elsewhere in the FATF Recommendations.”
VASP was defined as “any natural or legal person who is not covered elsewhere under the Recommendations, and as a business conducts one or more of the following activities or operations for or on behalf of another natural or legal person”:
- exchange between VAs and fiat currencies;
- exchange between one or more forms of VAs;
- transfer of VAs;
- safekeeping and/or administration of VAs or instruments enabling control over VAs; and
- participation in and provision of financial services related to an issuer’s offer and/or sale of a VA.
Recommendation 15 was expanded in 2018 to provide that “[t]o manage and mitigate the risks emerging from [VAs], countries should ensure that [VASPs] are regulated for AML/CFT purposes, and licensed or registered and subject to effective systems for monitoring and ensuring compliance with the relevant measures called for in the FATF Recommendations.”
February 2019 Draft Interpretive Note (Travel Rule). In February 2019, FATF issued a draft interpretive note to Recommendation 15 to provide information on how countries should apply the FATF Recommendations in the context of VAs. FATF specifically invited public comment on paragraph 7(b) of the draft interpretive note, which provided that, in applying Recommendation 16 (the so-called “travel rule”) in the context of VAs, countries should require “originating VASPs” and “beneficiary VASPs” to obtain and hold certain information on originators and beneficiaries of VA transfers, a requirement often referred to as the “travel rule.”
Overview of the Guidance
The Guidance, which retains the October 2018 definitions of VA and VASP, generally takes an expansive approach to the application of each FATF Recommendation to VAs, VASPs and other entities that engage in VA activities. It states that VASPs “have the same full set of obligations” as other financial institutions.
Among other requirements, the Guidance provides that countries should:
- identify, understand and assess their AML/CFT risk, including by conducting a risk assessment, and apply a risk-based approach to address AML/CFT risk, including in relation to risks associated with VAs and VASPs that engage in or provide covered VA activities, operations, products or services;
- require VASPs to identify, assess and address the AML/CFT risks associated with their activities, taking into all relevant risk factors, including the types of services, products, or transactions involved; customer risk; geographical factors; and type(s) of VA exchanged, among other factors;
- designate one or more authorities with responsibility for licensing and/or registering VASPs and establish appropriate criteria for licensing and registration, as well as take action against VASPs operating in their jurisdiction without the requisite license or registration;
- require VASPs to take preventive measures such as customer due diligence (subject to an occasional transaction de minimis threshold of 1,000 USD/EUR), record-keeping and suspicious transaction reporting;
- ensure their authorities cooperate constructively with authorities from other countries, including on confiscation of laundered property and the exchange of relevant information;
- apply FATF Recommendation 16 to VA transactions (with certain exceptions, as outlined further below);
- ensure that supervision staff is trained to understand the VASP sector, particularly with respect to assessing the quality of a VASP’s AML/CFT program; and
- facilitate information exchange between the public and private sectors as part of the national AML/CFT strategy.
The Guidance identifies certain examples of elements that countries and VASPs should consider when identifying, assessing and determining how best to mitigate VA-related risks, including:
- the potentially higher risks associated both with VAs that move value into and out of fiat currency and the traditional financial system and with virtual-to-virtual transactions;
- the risks associated with centralized and decentralized VASP business models;
- risks associated with anonymity-enhanced cryptocurrencies, embedded mixers or tumblers, internet protocol anonymizers such as The Onion Router (TOR) or Invisible Internet Project (I2P), or other products and services that may obfuscate the transactions or undermine a VASP’s ability to know its customers and implement effective AML/CFT measures;
- whether the VASP operates entirely online (e.g., platform-based exchanges) or in person (e.g., trading platforms that facilitate peer-to-peer exchanges or kiosk-based exchanges);
- the potential money laundering and terrorist financing risks associated with a VASP’s connections and links to several jurisdictions; and
- the nature and scope of the VA account, product, or service and of the VA payment channel or system.
Application of the Travel Rule
FATF’s approach to the travel rule, which was originally designed for traditional transmittals of funds between banks, will be an area of particular interest to VASPs. Interpretive Note to Recommendation 15 instructs countries to require originating VASPs to obtain and hold certain information on the originator and beneficiary of a transaction and send this information to the beneficiary VASP securely and immediately upon the transaction taking place. According to FATF, the required information does not need to be sent to the beneficiary VASP as part of the transaction or on the blockchain; rather, it can be an entirely distinct process. Both VASPs in the transaction must retain the information and provide it to law enforcement upon request.
The Guidance states that the requirements of Recommendation 16 should apply to VASPs whenever their transactions, whether in fiat currency or VA, involve: (a) a traditional wire transfer, or (b) a VA transfer or other related message operation between a VASP and another obliged entity (e.g., between two VASPs or between a VASP and another obliged entity, such as a bank or other financial institution). The FATF travel rule therefore does not apply to peer-to-peer transactions not involving a VASP or other financial institution or to transfers between custodial wallets (which are VASPs) and non-custodial wallets (which are not VASPs). FATF also states that countries may adopt a de minimis threshold of 1,000 USD/EUR for VA-related transactions, below which the travel rule would not apply.
Under FATF’s travel rule, information required to be sent between VASPs includes:
- the originator’s name;
- the originator’s account number (such as a VA wallet);
- the originator’s physical address, national identification number or customer identification number;
- the beneficiary’s name; and
- the beneficiary’s account number (such as a VA wallet).
In addition, the Guidance states that other requirements of Recommendation 16, such as (1) monitoring the availability of information and (2) taking freezing action and prohibiting transactions with designated persons and entities, apply to VASPs and financial institutions when sending or receiving VA transfers on behalf of a customer.
In the June 2019 final interpretive note to Recommendation 15, FATF made few changes to the February 2019 draft interpretive note. The requirement that originating VASPs submit originator information “immediately and securely” was added in the final text. Further, the Guidance clarifies that “immediately” means “simultaneously or concurrently with the transfer itself,” and “securely” is “meant to convey that providers should protect the integrity and availability of the required information to facilitate recordkeeping (among other requirements) and the use of such information by receiving VASPs or other obliged entities as well as to protect it from unauthorized disclosure.”
Reaction and Next Steps
International policymakers have expressed strong support for the Guidance. At the Group of 20 (G20) summit held in Osaka, Japan on June 28-29, 2019, the G20 members released a declaration including the following statement: “We reaffirm our commitment to applying the recently amended FATF Standards to virtual assets and related providers for anti-money laundering and countering the financing of terrorism. We welcome the adoption of the [FATF] Interpretive Note and Guidance.”
U.S. Treasury Secretary Steven Mnuchin praised the FATF Guidance as “a major step towards harmonizing international regulations concerning cryptocurrencies” in a press conference in which he highlighted the “serious concerns that Treasury has regarding the growing misuse of virtual currencies by money launderers, terrorist financiers, and other bad players.”
However, as previewed in their comment letters on the draft interpretive note, some virtual currency market participants have criticized the Guidance, and in particular its approach to the travel rule. Criticisms include that compliance is not technologically possible or will be costly and burdensome, and that the requirements will drive VA activity, including suspicious VA activity, into platforms that are outside of the regulatory perimeter.
According to a public statement released with the Guidance, FATF will conduct a 12-month review of members’ implementation of the Guidance in June 2020. Accordingly, in the next year, we expect that member countries will begin to change their laws and regulations to align with the Guidance (to the extent they have not done so already).
The Financial Crimes Enforcement Network of the U.S. Treasury Department (FinCEN) issued guidance in May 2019 on the application of its regulations—including the FinCEN travel rule—to certain business models involving convertible virtual currencies. It remains to be seen whether and how FinCEN will further clarify the application of its travel rule and other regulations to VASPs, including for purposes of adhering to the Guidance.
The Guidance signals that additional international regulation of the VA sector may be on the horizon. We anticipate that member countries will continue to standardize their regulatory regimes in line with FATF’s standards. Accordingly, VASPs should consider assessing their systems against the Guidance—particularly with respect to the travel rule.
ENDNOTE
[1] FATF’s 39 members—37 jurisdictions and two regional organizations—together represent most major financial centers.
This post comes to us from Davis, Polk & Wardwell LLP. It is based on the firm’s memorandum, “Financial Action Task Force Issues Guidance for the Virtual Asset Sector,” dated July 22, 2019, and available here.