FATF Guidance Update

October 29, 2021

Introduction

The Financial Action Task Force (FATF) yesterday published Updated Guidance for a Risk Based Approach for Virtual Assets and Virtual Asset Providers.  This revision amends the FATF guidance originally published in 2019 and contains some significant changes from the March 2021 proposed draft update

The Chamber of Digital Commerce has been engaged in ongoing dialogue with FATF, and was asked to provide additional input following the March draft. We are pleased to see that a number of our recommendations were incorporated into the final guidance and we look forward to continued proactive engagement with FATF on these important issues.

 

Summary

The updated guidance provides clarity in a number of areas with respect to how the FATF Recommendations should apply to Virtual Asset (VA) activities and Virtual Asset Service Providers (VASPs). As described by FATF, the updated guidance focuses on six key areas:

  1. Clarification of the definitions of VAs and VASPs;
  2. Guidance on how the FATF standards apply to stablecoins; 
  3. Additional guidance on the risks and the tools available to countries to address the ML/TF risks for peer-to-peer transactions;
  4. Additional guidance for the public and private sectors on the implementation of the “Travel rule;”
  5. Updated guidance on the licensing and registration of VASPs; and
  6. Principles for information sharing and cooperation amongst VASP supervisors.

The following summarizes a number of key changes in the updated guidance with a particular focus on changes of likely interest to Chamber members.  However, given the breadth of the changes, the following is not an exhaustive list.  

As a whole, the updated guidance is a significant improvement over the March draft, but, in the view of the Chamber, there remains a number of areas for future improvement. 

 

Definitions of VA and VASP

Virtual Asset

The guidance does not change the underlying definitions of a virtual asset (VA) and virtual asset service providers (VASPs), but does elaborate in significant detail on how the definitions of those terms should be understood and applied.  

FATF defines a VA as any item that is “digital” and “digitally traded or transferred and can be capable of being used for payment or investment purposes.” The updated guidance clarifies how the term applies to a number of specific asset types. For example, paragraph 17 explains the guidance does not address central bank digital currencies (CBDCs), which it states “are categorized as fiat currency.” On the other hand, it clarifies that stablecoins are VAs and highlights a number of potential risks linked to stablecoins, primarily stemming from “greater potential for mass-adoption.”  

With respect to non-fungible tokens (NFTs), the updated guidance states that such tokens are “generally not considered to be VAs under the FATF definition,” but may be considered VAs if “they are to be used for payment or investment purposes in practice.”  It further notes that some NFTs may be covered under FATFs definition of financial asset (for example, if the NFT could be considered a security). 

The Chamber welcomes the fact that NFT’s have been largely excluded from the VA definition. However, we believe the suggestion that some NFTs may be securities is overly broad and that, as a matter of law and policy, only a very small set of non-fungible tokens should be considered securities (for example, a token representing a specific stock certificate).  

 

Virtual Asset Service Provider

FATF defines a VASP as: any natural or legal person that conducts one or more of the following activities or operations for or on behalf of another natural or legal person:

  • Exchange between virtual assets and fiat currencies;
  • Exchange between one or more forms of virtual assets;
  • Transfer of virtual assets;
  • Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and
  • Participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.

The updated guidance goes on to define a number of the terms contained in the overall definition including “person,” “as a business,” “for or on behalf of another natural or legal person,” and “conducts.”  

Of particular note is the definition of conducts, which is defined to include “provision and/or active facilitation of a service.”  The Chamber is pleased to note our feedback was taken into account on this definition. However, while the definition of “conducts” is somewhat narrower than FATF’s draft guidance from earlier this year, we advised FATF that it may continue to present challenges for some members of industry, particularly developers of automated software and DeFi protocols (discussed below), who may struggle to understand the scope of “active facilitation.”

With respect to new assets created by crypto protocol developers, the new guidance provides clarity that publishing software that creates new virtual assets or new virtual asset networks is not an activity that triggers surveillance obligations. Paragraph 76 explicitly states that persons who “merely provide ancillary infrastructure” including “verifying the accuracy of signatures” will not be within the scope of surveillance obligations.

 

Decentralized Finance

The updated guidance includes a number of additions regarding DeFi and DApps, which largely track the March draft.  Paragraph 67 states that a “DeFi application (i.e. the software program) is not a VASP under the FATF standards, as the Standards do not apply to underlying software or technology.”  However, the guidance adds that creators, owners, and operators who “maintain control or sufficient influence in the DeFi arrangements, even if those arrangements seem decentralized, may fall under the FATF definition of a VASP where they are providing or actively facilitating VASP services.”  

Therefore, the updated guidance seems to take the position that truly decentralized protocols would not be VASPs, but that many projects that hold themselves out as “decentralized” are in fact not sufficiently decentralized to be outside the VASP definition.  The updated guidance offers a number of indicators of control and clarifies that individual governance token holders are not VASPs if they do not carry “control or sufficient influence” over the arrangement.  

The Chamber believes this is an improvement over the language from the March draft guidance, which, among other potentially problematic terms, suggested that those involved in DeFi “business development” might be VASPs.  However, the Chamber believes that in practice it may be challenging for national regulators and industry to determine precisely where to draw the line given the proliferation of DeFi business models and the fairly general language contained in the updated guidance.

 

Custodians

The updated guidance adds a number of new sections on the “safekeeping” and “administration” of VAs.  The guidance defines safekeeping as “the service of holding a VA or the private keys to the VA on behalf of another person” and “administration” as “the concept of managing VAs for or on behalf of another person.”  Control is defined to mean “the ability to hold, trade, transfer or spend the VA.”  Notably, the updated guidance explains that control can encompass situations “such as multi-signature processes” and adds that the “existence of a multi-signature model or models in which multiple parties must use keys for a transaction to happen does not mean a particular entity does not maintain control, depending on the extent of the influence it may have over the VAs.”  

While this guidance is sufficiently clear with respect to most use cases, there may be certain multi-signature models where regulators and industry struggle to determine whether the provider has “control.”

 

Issuers

The updated guidance adds a number of new paragraphs on token issuers and related service providers beginning at paragraph 77.  The updated guidance explains that “the sole act of issuing a VA” is not a covered service under the VASP definition.  However, it defines issuing a VA as limited to creation of a VA, which it distinguishes from the offer and/or sale of the VA.  It goes on to explain that “any persons which conduct the exchange and transfer of the issued VAs as a business for or on behalf of another person would be a covered service,” indicating that entities that create a VA and then sell it are likely VASPs.  

This may have broad implications for entities that pre-mint and then sell or otherwise distribute VAs.   

 

Stablecoins

The updated guidance includes a fair amount of new language on stablecoins, beginning at paragraph 86.  Unsurprisingly, the guidance states that “where such a central body exists in a stablecoin arrangement, they will, in general, be covered by the FATF Standards either as a FI or a VASP.”  

The guidance holds open the possibility that a stablecoin may have not have a “readily identified central body which is a VASP or FI,” but suggests that there may be a central party “to drive the development and launch of such an arrangement before its release” and that this may, in certain circumstances, “create scope for regulatory or supervisory action in the pre-launch phase.”  The guidance did not provide further explanation of what such “pre-launch” oversight might look like and this may be an area where future clarification would be helpful.

 

Peer-to-Peer Transactions Using Unhosted or Noncustodial Wallets

The updated guidance indicates countries should view peer-to-peer transactions (P2P) as posing unique and, potentially, heightened AML/CFT risks and consider a number of measures to mitigate those risks.  

In a positive development, FATF removed the problematic suggestion in paragraph 106(c) of the March draft that countries may consider “denying licensing of VASPs if they allow transactions to/from non-obliged entities (i.e., private / unhosted wallets).” 

However, most of the other mitigations proposed in the March draft remain, such as “obliging VASPs to facilitate transactions only to/from addresses/sources that have been deemed acceptable in line with their RBA” and “issuing public guidance and advisories and conducting information campaigns to raise awareness of risks posed by P2P transactions.”  

 

Correspondent Relationships and Counterparty Due Diligence

Correspondent Relationships

The updated guidance clarifies that Recommendation 13, regarding cross-border correspondent relationships, is applicable to VASPs.  In the VA context, a correspondent relationship includes “the provision of VASP services by one VASP to another VASP or FI …. characterised by its on-going, repetitive nature.”  

The Chamber strongly advocated for the removal of this language on the grounds that applying the concept of correspondent accounts does not make sense in the VA context because when VASPs hold accounts with other VASPs, it is not typically to facilitate the movement of customer assets, as is the case for correspondent bank accounts.  Unfortunately, this language remains in the final guidance and is one of a number of instances where traditional bank language is being applied to VAs.

 

Counterparty Due Diligence

The updated guidance includes a lengthy new discussion of due diligence expectations for transactions between VASPs.  The updated guidance lays out a three phase approach to counterparty VASP due diligence, which includes (1) determining if the transaction is with a counterparty VASP, (2) identifying the counterparty VASP, and (3) assessing the counterparty VASP.  All three phases should be completed prior to the first transaction with the VASP.  

These changes will likely impose significant data collection and due diligence requirements on VASPs and raise additional concerns such as the security of individuals’ personally identifiable information (PII).  Fortunately, there are a number of industry initiatives to help provide technical solutions that prevent theft and malicious use of data. For example, the Privacy-Preserving Travel Rule Compliance TRISA whitepaper here.

 

Travel Rule guidance 

The updated travel rule guidance tracks closely with the March draft and continues to include a number of additional points related to the travel rule, including further guidance on the responsibilities of various entities in the payment chain and the type of information that must be collected and transmitted.  

One helpful addition is a clarification that transaction fees relating to VA transfers are not within the scope of the travel rule and that “VASPs do not need to identify the recipient of the transaction fee, because the recipient is not the originator or recipient of the VA transfer itself.”

While many of these additions are helpful, the Chamber does not believe this will be sufficient to address the so-called “sunrise problem” of uneven travel rule implementation across countries, which makes compliance particularly difficult for industry.  The Chamber looks forward to continued future engagement with FATF on the travel rule and hopes FATF can identify additional mechanisms to encourage consistent implementation of travel rule requirements across jurisdictions. 

 

Transfers to and from Unhost Wallets

The updated guidance contains new language regarding VA transfers between VASPs and unhosted wallets, which may have important implications for industry.  

Paragraph 179 of the guidance states, “The requirements of Recommendation 16 [the travel rule] apply to VASPs whenever their transactions, whether in fiat currency or VA, involve … a VA transfer between a VASP and a non-obliged entity (i.e., an unhosted wallet).” 

Paragraphs 203 and 204 provide additional detail on this requirement, noting that the requirements apply only with respect to the customer of the VASP and that VASPs are not required to submit any information to persons other than VASPs or other obliged entities.  

However, paragraph 295 later adds that when transferring to or from an unhosted wallet “a VASP should obtain the required originator and beneficiary information from their customer, because they cannot obtain the relevant information from another VASP.”  This requirement is somewhat reminiscent of the unhosted wallet rule proposed by the U.S. Department of the Treasury late last year, which among other measures, proposed to require the collection of counterparty information for unhosted wallet transactions.  However, there is no reporting requirement in the FATF guidance, as was the case for Treasury’s proposed rule.