Financial Action Task Force and the future of digital assets

Fintech Worldwide brings you the latest news on Fintech, Blockchain and Digital Impact.

In response to perceived increased risk from digital financial assets, the Financial Action Task Force (FATF), the inter-governmental body that sets the international standards for the implementation of legal, regulatory and operational measures for combating money laundering, terrorist financing and other threats to the financial system, updated their recommendations in relation to ‘virtual assets (VAs) and virtual asset service providers (VASPs)’, recently, calling on all jurisdictions to “urgently take legal and practical steps to prevent the misuse of virtual assets”. (VAs and VASPs are defined in the Recommendations but for the sake of brevity, I exclude them here). 

The interpretive note added to Recommendation 15 and the release of the VASP Guidance portend a potentially significant expansion of global regulation over virtual assets (VA) during 2020 as the 39 FATF member countries consider whether, how and when to apply the recommendations within their respective regulatory and supervisory frameworks. 

The FATF Guidance updates the FATF’s 2015 Guidance, providing a Risk-Based Approach (RBA) to AML/CTF for Virtual Currencies, and is intended to help member countries to implement a risk-based AML/CTF framework, as well as to assist private sector entities engaged in VA activities with understanding their compliance obligations under the FATF Recommendations. It essentially requires that countries apply AML/CFT requirements to virtual asset service providers (VASPs) in much the same way that they are applied to financial institutions and sets forth an expectation that FATF member countries will;

• Require VASPs to be licensed or registered. (Separate licensing or registration is not recommended for already licensed or registered financial institutions that perform VASP activities).
• Consider virtual assets as “property”, “proceeds,” “funds,” “funds or other assets,” or other “corresponding value” and apply the relevant measures under the FATF Recommendations to virtual assets and VASP activities
• Subject VASPs to adequate regulation and supervision of AML/CFT and effective implementation of the relevant FATF Recommendations by a “competent authority” (no self-regulatory bodies) with the power to impose a range of disciplinary and financial sanctions on VASPs and their directors and senior management
• Coordinate with authorities to ensure compatibility of AML/CTF requirements with data protection and privacy rules

Under Recommendation 16, the genesis for the U.S. Treasury Department Financial Crimes Enforcement Network’s (“FinCEN”) so-called “Travel Rule”, member countries have “obligations to obtain, hold, and transmit required originator and beneficiary information in order to identify and report suspicious transactions, monitor the availability of information, take freezing actions, and prohibit transactions with designated persons and entities.” The obligation to obtain, hold, and transmit the required information applies to VASPs and financial institutions “when they send or receive VA transfers on behalf of a customer.” The Guidance notes that countries should adopt these requirements for VA transfers greater than or equal to USD/EUR1,000, (unlike the FinCEN travel rule that only applies to transfers greater than or equal to USD3,000).

Under the Guidance, the required information for each VA transfer includes:

1. originator’s name (i.e., the sending customer);
2. originator’s account number where such an account is used to process the transaction (e.g., the VA wallet);
3. originator’s physical (geographical) address, or national identity number, or customer identification number (i.e., not a transaction number) that uniquely identifies the originator to the ordering institution, or date and place of birth;
4. beneficiary’s name; and
5. beneficiary’s account number where such an account is used to process the transaction (e.g., the VA wallet).

This information is required due to clarification in the Guidance that countries must treat all VA transfers as cross-border wire transfers as opposed to domestic wire transfers, which have less onerous transfer information requirements. Providers of VA transfers must also transmit the required information “immediately and securely”, whereby “immediately” means “simultaneously or concurrently with the transfer itself.” Additionally, FATF is giving countries the option to prohibit VA activities at a national level or require VASPs to be licensed or registered before conducting VA activities in or from their jurisdiction.

Implications for digital assets

The FATF Guidance and Recommendations are binding. Member countries are subject to mutual evaluation and scored by other members on their compliance with and enforcement of the FATF Recommendations. Countries that fail to substantially cooperate may face a remediation period or blacklisting. Accordingly, the release of the Guidance and the June 2020 review suggest that an increase in enforcement actions for unlicensed or unauthorised VA activity, and the failure to comply with the Travel Rule, is likely forthcoming in the U.S. and other jurisdictions.

Most of the Recommendation’s requirements are very similar to the existing regulatory regime that cryptocurrency exchanges are subject to in the United States (and will be subject to in the European Union, when the Fifth AML Directive is implemented in early 2020). Many major exchanges in the US and EU are already compliant with FATF recommendations, so other exchanges should be able to follow suit easily, yet the primary intent is to assist governments in drafting legislation and regulations. As such, different countries may implement the Recommendations in different ways, and some countries may impose requirements that are more stringent than the FATF Recommendations.

The Travel Rule is the most significant amendment to the Recommendations. VASPs are required to ask for their customers to provide information about the originator or beneficiary of any virtual asset transfer the VASP receives (such as a deposit into the customer’s account with the VASP) or carries out (like a withdrawal from the customer’s account) on behalf of that customer, including whether the originator or beneficiary’s address is custodied at another VASP and, if so, which VASP. The originating VASP must send “required and accurate originator information and required beneficiary information” to the beneficiary VASP. While the originator information must be “accurate”, the originating VASP is not obligated to verify that the beneficiary information is accurate. In other words, VASPs may accept, at face value, the information provided by the customer.

The Travel Rule makes a lot of sense in the context of wire transfers, where both the sender and recipient are always financial institutions, the identity of the receiving institution is always known to the Sender, and wire transfers take the form of messages between financial institutions (e.g. SWIFT MT103), which makes it trivial to transmit the necessary information by including it in the payment message. However, virtual asset transfers are fundamentally different. With the exception of Zcash (whose encrypted memo field was designed to facilitate compliance with the Travel Rule), cryptocurrencies do not, in general, enable the transfer of the necessary information as part of a transaction, which means that the information would need to be sent separately. Therefore, FATF has specified that it is “not necessary for this information to be attached directly to the virtual asset transfers”. In theory, it could be sent via email or submitted using a web form on the beneficiary VASP’s website. A number of initiatives are, therefore, investigating potential industry-wide solutions or standards to address this requirement for virtual assets that do not provide the ability to attach the required information to the transaction. One option is for VASPs to mandate that customers only deposit virtual assets from, and withdraw virtual assets to, a payment address that the customer controls. This would ensure that the VASP neither receives nor sends any virtual asset transfers from or to another VASP, thus avoiding the Travel Rule requirement entirely.

At London Blockchain week https://www.blockchainweek.com/ we will be bringing the latest on:

1. Global and Future Trends

2. Decentralised Finance - a mega trend

3. Digital Assets - What will be tokenised next?

4. Blockchain and Internet of Things 

5. Blockchain Marketplace is Open for Business.

6. How is Industry Deploying Blockchain? 

7. Creating Transformational Social Impact with Blockchain and Frontier Technologies

8. Will Governments transition to Blockchain? 

See you there!