FATF Updates Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers
The Financial Action Task Force ("FATF"), the global money laundering and terrorist financing (“ML/TF”) watchdog, recently issued updated guidance related to compliance risks resulting from activities involving Virtual Assets (“VAs”) and Virtual Asset Service Providers (“VASPs”). FATF has members from over 200 countries, and its guidance generally is implemented by many governmental agencies, including the U.S. Treasury Department.
The guidance was originally published in 2019 to bring the VA and VASP industry in line with financial institutions and has since been updated to reflect industry feedback and consultation received earlier this year. In the most recent update, the FATF has outlined appropriate measures for countries and VASPs to adopt in order to manage and mitigate ML/TF risks when dealing with VAs.
The published guidance focuses on six key areas:
- Clarification of the definitions of VA and VASP;
- How the FATF standards apply to stablecoins;
- Peer-to-peer transactions;
- Licensing and registration of VASPs;
- Implementation of the “travel rule”; and
- Principles of information-sharing and co-operation among VASP supervisors.
The most significant updates are summarized below.
Definitions of Virtual Assets (VAs) and Virtual Asset Service Providers (VASPs)
The updated guidance provides detailed definitions of VAs and VASPs – and the FATF expressly encourages a broad reading of both. The FATF notes the definitions are based on the asset or service and not on the nomenclature or terminology being used by the provider. Specifically, “the definitions do not depend on the technology employed by the service provider … The obligations in the FATF Standards stem from the underlying financial services offered without regard to an entity’s operational model, technological tools, ledger design, or any other operating feature.”
VAs are defined as “a digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes.” The guidance states that this definition does not include digital representations of fiat currencies, securities, and other financial assets that have been covered by the FATF elsewhere. The guidance also provides examples to support the FATF’s definitions. For example, a digital bank record which represents a person’s ownership of fiat currency does not fall within the VA definition. Further, central bank-issued digital currencies are not considered VAs but are instead categorized as another form of fiat currency issued by a central bank.
The FATF defines VASPs as:
“any natural or legal person … that conducts one or more of the following activities or operations for or on behalf of another natural or legal person:
- Exchange between virtual assets and fiat currencies;
- Exchange between one or more forms of virtual assets;
- Transfer of virtual assets;
- Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and
- Participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.”
Firms who “merely provide ancillary infrastructure to allow another entity to offer this service” (e.g., cloud data storage providers) are excluded from this definition.
The FATF guidance also discusses, among other topics, stablecoins, non-fungible tokens (“NFTs”), decentralized finance (“DeFi”) and decentralized or distributed applications (“DApp”):
- Stablecoins – the FATF notes the term “stablecoin” shares the same ML/TF risks as some VAs, and thus can fall under the definition of VA.
- NFTs – the FATF states that NFTs do not generally fall under the VA definition. However, if “used for payment or investment purposes in practice,” NFTs may be considered VAs. The guidance emphasizes an NFT’s “functional approach” is relevant when considering whether an NFT falls under the VA definition.
- DeFi – the guidance clarifies that a “DeFi application (i.e., the software program) is not a VASP under the FATF standards, as the standards do not apply to underlying software or technology.” However, creators, owners, and operators providing or facilitating VASP services and who “maintain control or sufficient influence in the DeFi arrangements, even if those arrangements seem decentralized,” may fall under the VASP definition.
- DApp – as DApps often facilitate or conduct the exchange or transfer of VAs, the FATF expresses the view that they may fall under the VASPs definition.
The FATF recognizes that its updated guidance does not apply to peer-to-peer (P2P) transactions (transfers carried out without any intervention of an intermediary, i.e., a transaction to and from “unhosted wallets”) because the FATF’s recommendations generally place obligations on intermediaries rather than individuals. However, the guidance highlights the need for countries to identify and understand the ML/TF risks related to P2P transactions. The FATF also provides several factors for countries to consider and certain measures that can be adopted to mitigate the risks.
Implementation of the “Travel Rule”
In its 2019 guidance, the FATF recommended that the so-called “Travel Rule” – which generally requires financial institutions to collect information on participants in transactions exceeding $1,000 – apply to VA transactions as well. The updated guidance provides additional instruction on the applicability of the Travel Rule to VASPs transferring over $1,000 in VAs that should be identifying the beneficiary of the transaction and the originator. To enhance implementation of the rule, the FATF has included a definition of transaction fees and provided details of how the rule applies to certain transactions where there are automatic refunds. The guidance also clarifies additional due diligence procedures to be taken for transactions with unhosted wallets.
Although the FATF’s guidance is not legally binding on member states or VASPs, when considered with OFAC’s latest guidance on virtual currencies (see our prior OnPoint) it is apparent that there is increased government scrutiny of the VA industry. Thus, VASPs should consider reviewing their ML/TF compliance programs frequently and revising them where necessary in anticipation of governments implementing and enforcing regulatory measures.