In October 2021, the FATF revised its guidance on virtual assets. If adopted by jurisdictions, new types of crypto services could fall under AML regulation, so businesses better pay close attention. In this article, we explain how you can prepare for possible changes.
On October 28th, 2021, the Financial Action Task Force (FATF), a global AML standard-setting authority, finalized the updated “Guidance for a risk-based approach to virtual assets and virtual assets service providers.” If adopted in countries following FATF Standards, the new guidance may affect regulations on virtual assets (VAs) and virtual asset service providers (VASPs) in those countries. This may include NFTs, stablecoin providers, and decentralized platforms falling under AML obligations in some cases.
The FATF issues guidance to enable national regulators to apply FATF Recommendations and help crypto businesses understand their AML/CFT obligations. As with other FATF documents, the guidance is not legally binding. It’s on national regulators to decide whether to implement it word by word, if at all.
Estonia is one of the first jurisdictions to change its legislation to comply with the guidance. On December 23rd, the Estonian government approved a draft law amending its Money Laundering and Terrorist Financing Prevention Act according to the FATF’s approach to decentralized platforms.
In the 2015 version of its guidance, the FATF extended the risk-based approach to the activities related to virtual assets. In 2018, the FATF updated Recommendation 15, expanding AML requirements to crypto businesses, including cryptocurrency exchanges and wallet providers.
In 2019, the FATF issued an Interpretive Note to Recommendation 15 and revised its guidance on virtual assets. The documents clarified the definition of virtual assets service providers and their AML obligations, namely customer due diligence, KYC, recordkeeping, transaction monitoring, suspicious transaction reporting, and applying the risk-based approach.
Now, as new types of VAs and VA-related services emerge, the FATF has amended its guidance to clarify the status of non-fungible tokens (NFTs), stablecoins, and decentralized platforms. At the same time, the primary AML/KYC requirements for VASPs remain as established in 2019.
The FATF has clarified its functional approach to the definitions of VAs and VASPs, expanding the list of businesses that might fall under AML regulations.
FATF’s functional approach:
Determining businesses as VASPs should be based on the basic characteristics of the asset and underlying financial services—not the entity’s operational model, technological tools, ledger design, or any other operating feature.
If the changes are adopted in countries following FATF standards, decentralized platforms and other services may in certain cases fall under the AML scope.
Who is affected: Decentralized services (DEXes, DApps and P2P platforms).
Old guidance: Decentralized services fell under the VASP definition, although the wording wasn’t clear. According to the old guidance, DApps and their owners/operators/developers could be considered a VASP “when DApps facilitate or conduct the exchange or transfer of value”.
Revised guidance: The guidance introduces the term DeFi and clarifies when DeFi services may be considered VASPs:
As a result, if a DeFi service is considered a VASP after being examined, it will have to comply with AML obligations.
How businesses can prepare: Company-wide AML programs can be developed ahead of time. This includes hiring a compliance officer, drafting internal policies, implementing KYC tools and transactions monitoring, as well as evaluating client risk profiles.
Who is affected: Providers of stablecoin-related services (stablecoin arrangements).
Old guidance: Stablecoins weren’t covered by FATF Recommendations or the previous version of the guidance. Still, in a June 2020 report to the G20 on so-called stablecoins, the FATF already recommended regulating them as virtual assets or traditional financial assets.
Revised guidance: The FATF confirms that stablecoins are covered by the Standards as either a VA or a financial asset (e.g., a security) according to the same criteria used for any other kind of digital asset, depending on its exact nature and the regulatory regime in a given country.
The FATF also clarifies that stablecoin arrangements may be covered by the FATF Standards either as a FI or a VASP, if they have a governance body:
The governance body of stablecoin arrangement may be covered by AML obligations.
How businesses can prepare: The governance body of stablecoin arrangement should undertake ML/TF risk assessments prior to the launch or use of the stablecoin and take appropriate measures to manage and mitigate risks before launch.
Who is affected: NFTs which are used for payment or investment purposes.
Old guidance: There wasn’t any explanation on whether NFTs should be considered as VAs or other assets.
Revised guidance: The FATF provides a definition of NFTs and describes when they should be considered as VAs:
How businesses can prepare: Businesses should apply the FATF Standards to NFTs on a case-by-case basis, taking into account whether NFTs are used for payment or investment purposes. Company-wide AML programs can be developed ahead of time. This can include hiring a compliance officer, drafting internal policies, providing risk assessment and implementing KYC tools.
Who is affected: VASPs that send and/or receive VA transfers on behalf of a customer.
Old guidance: The document listed the types of transfers for which VASPs had to comply with the FATF’s Travel Rule, meaning sender and recipient data had to be collected in the course of electronic transfer and shared with the counterpart of the transfer. This included:
The FATF suggested that the Travel Rule may have also applied to transfers between VASPs and non-regulated entities (e.g., unhosted wallets), but not to a full extent:
The old guidance suggested that regulators could adopt a minimum threshold of USD/EUR 1000 for Travel Rule application.
Revised guidance: The FATF confirms that the Travel Rule should apply to three types of transfers involving VASPs on either side of the transfer:
Also, the FATF confirms the Travel Rule limitations for the transfers between VASPs and non-regulated entities:
The revised guidance also confirms the minimum threshold of USD/EUR 1000 for the Travel Rule, which can now be adopted by jurisdictions. For VA transfers under this threshold, countries should require that VASPs collect the name of the sender and recipient as well as the VA wallet address for each, or a unique transaction reference number.
How businesses can prepare: Travel Rule compliance requirements differ depending on whether VASPs are acting on behalf of the sender or on behalf of the recipient.
VASPs acting on behalf of the sender must verify the sender and require transfer details from them. The obtained details must then be shared with the entity acting on behalf of the recipient:
The recipient’s name is not required to be verified by the sender’s VASP for accuracy.
VASPs acting on behalf of the recipient must obtain the same sender and recipient details from the entity acting on the behalf of the sender. The recipient’s VASP must verify the recipient’s name for accuracy.
The most efficient way for VASPs to comply with the Travel Rule is to find a KYC and crypto monitoring provider that additionally ensures information is shared in a secure manner compliant with data protection regulations.