The Financial Action Task Force (FATF), the global anti-money laundering watchdog, released updated guidance in October 2021 to help the private sector and jurisdictions apply the FATF’s risk-based approach to virtual asset (VA) activities and virtual asset service providers (VASPs). The FATF initially released its virtual asset guidance in 2019 attempting to bring VAs and VASPs in line with traditional financial institutions. The FATF has continued to review and update this guidance based on feedback from the industry. Importantly, the FATF acknowledges function over form and explains that VA activities should be analyzed based on the services provided rather than whether they fit into the specific wording of the definitions. The guidance notes “countries should not apply their definition based on the nomenclature or terminology which the entity adopts to describe itself or the technology it employs for its activities. . . . The obligations in the FATF Standards stem from the underlying financial services offered without regard to an entity's operational model, technological tools, ledger design or any other operating feature.”
The updated FATF guidance, coupled with recent guidance from the US Department of the Treasury, Office of Foreign Assets Control (OFAC) discussed in our previous briefing, reflects heightened government scrutiny of virtual assets and the vulnerabilities they can present. Although not legally binding on member countries or VASPs, the FATF guidance may serve as a reference for member countries in updating their own regulatory regimes, and therefore, VASPs would be well-advised to proactively evaluate their compliance programs in advance of any regulatory actions needed to implement the guidance.
Definitions of VA and VASP
The guidance begins by clarifying the definitions of VA and VASP. The FATF defines a “virtual asset” or VA as a “digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes.” The guidance goes on to give numerous examples of how to apply these definitions. A mere digital representation of fiat currencies, securities and other financial assets that are already covered elsewhere by the FATF is not intended to be treated as a VA without an inherent ability itself to be digitally traded or transferred and the ability to be used for payment or investment purposes. For example, a digital bank record that just represents ownership of a specific financial asset is not a VA. Central bank digital currencies are also not VAs and are instead categorized as “fiat currency.” However, the guidance notes that stablecoins could fall under the definition of virtual asset.
The guidance also mentions non-fungible tokens (NFTs) and explains a more context-specific approach is to be used. Where an NFT is used as a collectible, it generally does not fall under the FATF definition of VA. In certain circumstances, however, NFTs could be considered VAs if “they are to be used for payment or investment purposes in practice.”
The FATF defines a “virtual asset service provider” or VASP as:
[A]ny natural or legal person … that conducts one or more of the following activities or operations for or on behalf of another natural or legal person:
- Exchange between virtual assets and fiat currencies
- Exchange between one or more forms of virtual assets
- Transfer of virtual assets
- Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets
- Participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset
The definition excludes those who “merely provide ancillary infrastructure” and instead focuses on those with control of VAs. Protocol developers and those that merely publish software that creates new VAs or new virtual asset networks should not be captured in the VASP definition.
The guidance also discusses DeFi and DApps. With respect to DeFi, the guidance clarifies that a “DeFi application (i.e., the software program) is not a VASP under the FATF standards, as the Standards do not apply to underlying software or technology,” but creators, owners and operators who “maintain control or sufficient influence in the DeFi arrangements, even if those arrangements seem decentralized, may fall under the FATF definition of a VASP where they are providing or actively facilitating VASP services.” The guidance highlights factors that countries may consider in assessing control such as whether any party profits from the service or has the ability to set or change parameters to identify the owner/operator of a DeFi arrangement and the existence of an ongoing business relationship between themselves and users, even if exercised through a smart contract or other voting protocols. It may be challenging in practice to understand where exactly to draw the line with respect to sufficient control and influence.
The guidance further explains an issuer is generally excluded from the VASP definition, but that “issuer” is narrowly defined. The sole act of creation of the VA is not covered under the VASP definition, but the offer and/or sale of the VA and “any persons which conduct the exchange and transfer of the issued VAs as a business for or on behalf of another person would be a covered service”.
Peer-to-peer (P2P) transactions
The guidance goes on to discuss peer-to-peer (P2P) transactions (transfers to and from “unhosted wallets”) and notes the potentially heightened AML/CFT risks such transactions pose. It emphasizes that countries need to understand these risks and how peer-to-peer transactions are being used, especially when new types of VAs enter the market or pre-existing VAs reach mass adoption. It also provides certain measures countries may take to mitigate these risks.
Travel rule
The guidance also spends time discussing the implementation of the “travel rule” and recommends VASPs that make transfers in cryptocurrency over USD$1,000 share certain identifying details about the recipient. Where a transfer is to/from an unhosted wallet, a VASP should be aware of the risks and may choose to impose additional limits or controls on such transactions with unhosted wallets. The guidance gives two examples of potential measures:
- Enhancing existing risk-based control framework to account for specific risks posed by transactions with unhosted wallets (e.g., accounting for specific users, patterns of observed conduct, local and regional risks, and information from regulators and law enforcement)
- Studying the feasibility of accepting transactions only from/to VASPs and other obliged entities, and/or unhosted wallets that the VASP has assessed to be reliable
US economic sanctions
As OFAC makes clear, which is underscored in the FATF guidance, US sanctions compliance obligations are the same, regardless of whether a transaction is denominated in digital assets or traditional fiat currency. US persons and persons otherwise subject to OFAC jurisdiction, including non-US persons engaged in transactions that involve a US nexus, are responsible for ensuring they do not engage in transactions prohibited by OFAC sanctions, including unauthorized VA activities. In this regard, the FATF guidance suggests that VASPs be required to implement an effective control framework, taking into account the unique nature of VA transfers, to ensure that they can comply with their sanctions obligations. The FATF also notes that VASPs may need to consider mitigation measures that are aligned with their business processes and the technical nature of VAs. Such measures could include, for example, putting a wallet on hold until screening is completed and has confirmed that no concern is raised, or arranging to receive a VA transfer with a provider’s wallet that links to a customer’s wallet and moving the transferred VA to the customer’s wallet only after the screening is completed and has confirmed that no concern is raised.
We will continue to monitor these developments and provide updates as warranted.