March 24, 2021
On the first weekend of the NCAA basketball tournament, a.k.a. March Madness, the global Financial Action Task Force (FATF), the United Nations for anti-money laundering, took a big shot. FATF released a public consultation for its updated Draft Guidance on a "Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers (VASPs)." Essentially, FATF provided a redline version of its June 2019 cryptocurrency guidance in light of the almost daily changes in technology, innovation, and adoption across the cryptoverse. Like any big time program, it is clear that FATF was not about to concede the landscape to upstarts like unhosted wallets, decentralized finance (DeFi) and Non-Fungible Tokens (NFTs) without a response.
FATF's recommendations are way more than recommendations - they will quickly become regulatory gospel across the globe. And, the recommendations in the updated guidance are game changers. As the crypto industry readies its buzzer beater to respond to FATF's April 20, 2021, deadline for comments, let's dive into what this draft guidance says and what it means for the cryptoverse.
Why Does FATF Matter?
First, Financial Intelligence Units (FIUs) such as the U.S. Financial Crimes Enforcement Network (FinCEN) around the globe look to FATF for guidance in implementing anti-money laundering regimes. FinCEN describes FATF's recommendations as, “the comprehensive set of measures that countries should have in place within their criminal justice and regulatory systems and the preventive measures to be taken by financial institutions and other businesses and professions."
Second, if FATF members do not comply with FATF recommendations there are significant consequences which can include anything from a warning letter to a suspension or termination. FATF's recommendations are much more than just that. FATF recommendations are heeded and implemented. These recommendations are ultimately the regulatory framework that global regulators must implement and the compliance infrastructure that global businesses must build. So, as our next few weekends are spent consuming hours of jump shots and cross overs, three pointers and free throws, FATF's 99 pages of updated guidance could be the biggest shot of all.
What is a Virtual Asset Service Provider?
By now we all know the definition of a Virtual Asset Service Provider (VASP). Quick refresher - a VASP is a crypto-business that conducts any one of the following activities:
- Exchange between virtual assets and fiat currencies;
- Exchange between one or more forms of virtual assets;
- Transfer of virtual assets;
- Safekeeping and/or administration of virtual assets or instruments enablingcontrol over virtual assets; and
- Participation in and provision of financial services related to an issuer’s offerand/or sale of a virtual asset.
FATFs' definition of a VASP is perhaps the most critical definition in the cryptoverse - whether or not your crypto business is expected to implement a costly risk-based compliance program can hinge on this definition. Much of the "revised" part of the revised guidance lives in the VASP definition section. In fact there are about 12 redlined pages dedicated to the topic.
FATF is not simply playing defense with its VASP definition either. The updated guidance aggressively drives to the hoop on a number of crypto Twitter's most burning questions. Perhaps none hotter than the questions around DeFi.
FATF Regulates DeFi
Here's the headline! FATF is ready to recommend regulations for certain DeFi platforms, labeling them as VASPs and requiring all the enhanced due diligence, KYC, and transaction monitoring that comes with that distinction.
Rather than refer to DeFi in the updated guidance, FATF goes broader referring to decentralized or distributed applications (DApps). DApps can be used for any number of purposes including gaming and gambling. DeFi is simply the use case for bringing financial services to crypto. With DeFi, you can do most of the things that banks support — earn interest, borrow, lend, buy insurance, trade derivatives, trade assets, and more — but it’s faster and doesn’t require paperwork or a third party. As with crypto generally, DeFi is global, peer-to-peer (meaning directly between two people, not routed through a centralized system), pseudonymous, and open to all. Bottom line, FATFs guidance recommends regulating many DeFi protocols like VASPs. FATF clarifies:
A DApp itself (i.e. the software program) is not a VASP under the FATF standards, as the Standards do not apply to underlying software or technology. However, entities involved with the DApp may be VASPs under the FATF definition. For example, the owner/operator(s) of the DApp likely fall under the definition of a VASP, as they are conducting the exchange or transfer of [virtual assets] as a business on behalf of a customer. The owner/operator is likely to be a VASP, even if other parties play a role in the service or portions of the process are automated. Likewise, a person that conducts business development for a DApp may be a VASP when they engage as a business in facilitating or conducting the activities previously described on behalf of another natural or legal person. The decentralization of any individual element of operations does not eliminate VASP coverage if the elements of any part of the VASP definition remain in place.
So what makes an entity "involved" with a DApp a VASP? FATF lays out several factors that equal "involvement," "such as creating and launching an asset, setting parameters, holding an administrative “key” or collecting fees." FATF continues, ". . . a party directing the creation and development of the software or platform and launching it for them to provide financial services for profit likely qualifies as a VASP." So, if an entity is involved in the DApp, whether "creating and launching an asset, setting parameters [in the protocol], holding an administrative "key" or collecting fees", then it is likely a VASP.
But, FATF goes even further with this dunk on DeFi:
The use of an automated process such as a smart contract to carry out VASP functions does not relieve the controlling party of responsibility for VASP obligations. For purposes of determining VASP status, launching a self-propelling infrastructure to offer VASP services is the same as offering them, and similarly commissioning others to build the elements of an infrastructure, is the same as building them.
In other words, FATF is saying that if an entity publishes software that facilitates regulated financial activity — transfer, exchange, safekeeping and administration, issuance, etc. — it is a VASP if it profits directly or indirectly from that software. Does this mean that if an entity publishes a totally decentralized DeFi protocol - no administrative key, no collection of fees - but the entity, like any business, makes a profit, then that entity is VASP? No free throw from FATF for DeFi.
CBDCs Are Out, Stablecoins Are In
As central banks around the globe race to issue central bank digital currencies (CBDCs), FATF makes clear that it does not consider CBDCs to be virtual assets, and instead treats them like fiat currencies issued by central banks. Stablecoins, however, meet the test. The guidance explains, "So-called stablecoins purport to overcome the price volatility issues associated with [virtual assets] by maintaining a stable value relative to some reference asset or assets. They share many of the same potential ML/TF risks as some [virtual assets], because of their potential for anonymity, global reach and use to layer illicit funds." So how does FATF decide whether or not a new token is a "virtual asset?" The updated guidance provided some insights illustrated on the flow chart below.
Not only are stablecoins a virtual asset, but, according to FATF, the entities involved in any so-called stablecoin arrangement will have AML/CFT obligations," and be regulated as a VASP. FATF explains that stablecoin governance bodies that simply manage the stabilization function, integrate the stablecoin in telecommunication platforms, or directly or indirectly profit — are VASPs.
What Does FATF Think of Cryptokitties?
So what does FATF think of NBA Top Shot, Cryptokitties and a $69 million digital Beeple? Well, not entirely sure what FATF thinks about the NFT explosion, but the updated guidance does provide some clues. First, FATF clarifies that it "does not seek to capture the types of closed-loop items that are non-transferable, non-exchangeable, and non-fungible," such as "airline miles, credit card awards or similar loyalty rewards program rewards or points which an individual cannot sell onward in a secondary market outside of the closed-loop system."
FATF, always technology neutral, makes clear that its concern is with businesses that act as VASPs:
Flexibility is particularly relevant in the context of [virtual assets] and [virtual asset] activities, which involve a range of products and services in a rapidly-evolving space. Some items—or tokens—that on their face do not appear to constitute [virtual assets] may in fact be [virtual assets] that enable the transfer or exchange of value or facilitate ML/TF. Secondary markets also exist in both the securities and commodities sectors for “goods and services” that are fungible and transferable. For example, users can develop and purchase certain virtual items that act as a store of value and in fact accrue value or worth and that can be sold for value in the VA space.
While FATF does not appear eager to regulate the technology, FATF is prepared to regulate any entity that performs VASP-like functions including companies that issue, sell, and/or custody virtual assets in relation to the sale or issuance of NFTs. In other words, not every NFT is a VASP, but if you are selling NFTs that are convertible or can be sold in a secondary market, then, under the updated guidance, you are a VASP.
FATF Jumps Into the Unhosted Wallets Fray
In attempting to deal with the issue of unhosted or self-hosted wallets, or what FATF calls "peer to peer transactions (P2P)," FATF provides additional guidance.
While FATF states that, "P2P transactions are not explicitly subject to AML/CFT obligations," because FATF typically regulates intermediaries, "if P2P transactions gain widespread and mainstream traction and are readily used as a means of payment or investment without a VASP . . . [this] could increase and possibly lead to systemic ML/TF vulnerabilities in some jurisdictions."
The updated guidance warns that crypto businesses "should consider whether any [virtual assets] or products they plan to launch, or transact with, will enable P2P transactions and, if so, how ML/TF risks should be mitigated. The ML/TF risks are more difficult to address and mitigate once the products are launched, and thus should be addressed in the design or development phase. Similarly, VASPs and other obliged entities should consider the extent to which their customers may engage in, or are involved, in P2P activity. Countries should also consider how ML/TF risks of P2P transactions for some VAs may be mitigated through, for example, blockchain analytics, which may provide greater visibility over P2P transactions."
FATF recommends risk mitigation measures to include:
- requiring the filing of the crypto equivalent of currency transaction reports (CTRs);
- denying licensing of VASPs if they allow transactions to and from unhosted wallets;
- placing additional record keeping and due diligence requirements on VASPs that allow transactions to or from unhosted wallets;
- Other measures including issuing public guidance on peer to peer transactions and training regulators and law enforcement on the risks.
Don't Get Called for Traveling
The updated guidance revisits the "Travel Rule" - which requires VASPs to ensure that certain customer data is disclosed and transferred between counterparties as a part of a cryptocurrency transaction - with more specificity about what is expected. Specifically, the revised guidance makes clear that:
- VASPs that have not implemented the “Travel Rule” should be considered higher-risk.
- A VASP needs to undertake counterparty VASP due diligence before they transmit the required information.
- Originators and beneficiary VASPs should screen transactions to ensure that the counterparty does not have sanctions exposure.
- In the case of unhosted wallets - where there is not an originator or beneficiary institution - a VASP must still collect the required information with respect to their customer.
- VASPs are expected to engage in robust counterparty due diligence that may include "blockchain analytics services."
Conclusion: The Word of the Day is "Broadly"
There is a lot more to the updated guidance - proliferation financing risks, recs related to the registration and licensing of VASPs, and an emphasis on the need for cross-border information sharing by governments and private sector entities alike.
While there is a lot to unpack in FATFs updated guidance, there are at least two clear simple takeaways:
First, FATF wants you to expand your mind. The updated guidance is intended to "addresses AML/CFT supervision broadly," definitions "should be interpreted broadly," and jurisdictions should "consider that broader coverage is the safer course." In fact, FATF uses the term "broad" or "broadly" 22 times. As FATF works to build a regulatory framework that keeps up with the lightening speed of innovation, the expectation is that regulators and businesses interpret its guidance broadly and inclusively.
Second, FATF is clearly focused on meeting head on the latest in technological innovation. The updated guidance is really much more than an update. It is a document that demonstrates FATFs commitment to addressing crypto's biggest questions in close to real time. The revised guidance addresses some of the hottest topics in crypto - CBDCs, stablecoins, DeFi, and NFTs. FATF will clearly continue to follow the ball and even try to predict where the ball is going next. In other words, FATF will follow the shot.