Sumsub
The Sumsuber

Best practices for KYC/AML

Guides
2022-03-09
6 min read

The Revised FATF Guidance on Virtual Assets: How Does It Affect DeFi? [Updated 09.03.2022]

In October 2021, the FATF revised its guidance on virtual assets. If adopted by jurisdictions, new types of crypto services could fall under AML regulation, so businesses better pay close attention. In this article, we explain how you can prepare for possible changes.

On October 28th, 2021, the Financial Action Task Force (FATF), a global AML standard-setting authority, finalized the updated “Guidance for a risk-based approach to virtual assets and virtual assets service providers.” If adopted in countries following FATF Standards, the new guidance may affect regulations on virtual assets (VAs) and virtual asset service providers (VASPs) in those countries. This may include NFTs, stablecoin providers, and decentralized platforms falling under AML obligations in some cases.

How FATF guidance on virtual assets affects crypto businesses

The FATF issues guidance to enable national regulators to apply FATF Recommendations and help crypto businesses understand their AML/CFT obligations. As with other FATF documents, the guidance is not legally binding. It’s on national regulators to decide whether to implement it word by word, if at all.

Estonia is one of the first jurisdictions to change its legislation to comply with the guidance. On December 23rd, the Estonian government approved a draft law amending its Money Laundering and Terrorist Financing Prevention Act according to the FATF’s approach to decentralized platforms.

How the FATF’s approach to virtual assets has evolved over time

In the 2015 version of its guidance, the FATF extended the risk-based approach to the activities related to virtual assets. In 2018, the FATF updated Recommendation 15, expanding AML requirements to crypto businesses, including cryptocurrency exchanges and wallet providers.

In 2019, the FATF issued an Interpretive Note to Recommendation 15 and revised its guidance on virtual assets. The documents clarified the definition of virtual assets service providers and their AML obligations, namely customer due diligence, KYC, recordkeeping, transaction monitoring, suspicious transaction reporting, and applying the risk-based approach.

Now, as new types of VAs and VA-related services emerge, the FATF has amended its guidance to clarify the status of non-fungible tokens (NFTs), stablecoins, and decentralized platforms. At the same time, the primary AML/KYC requirements for VASPs remain as established in 2019.

Thinking about starting an NFT business? Get Sumsub’s NFT Handbook and learn from our Chief Legal Officer, Tony Petrov, about AML compliance for NFT markets.

Revised guidance on virtual assets: what are the main updates?

The FATF has clarified its functional approach to the definitions of VAs and VASPs, expanding the list of businesses that might fall under AML regulations.

FATF’s functional approach:
Determining businesses as VASPs should be based on the basic characteristics of the asset and underlying financial services—not the entity’s operational model, technological tools, ledger design, or any other operating feature.

If the changes are adopted in countries following FATF standards, decentralized platforms and other services may in certain cases fall under the AML scope.

1. Decentralized services may fall under AML/CFT regulations

Who is affected: Decentralized services (DEXes, DApps and P2P platforms).

Old guidance: Decentralized services fell under the VASP definition, although the wording wasn’t clear. According to the old guidance, DApps and their owners/operators/developers could be considered a VASP “when DApps facilitate or conduct the exchange or transfer of value”.

Revised guidance: The guidance introduces the term DeFi and clarifies when DeFi services may be considered VASPs:

  1. The guidance defines DeFi as “the DApps which offer financial services, such as those offered by VASPs”.
  2. In the DeFi services, “creators, owners and operators or some other persons who maintain control or sufficient influence…may fall under the FATF definition of a VASP where they are providing or actively facilitating VASP services”. The guidance also clarifies that “a DeFi application (i.e. the software program) is not a VASP under the FATF Standards”.
  3. The guidance suggests that the DeFi operators and owners can be determined by their control or sufficient influence over assets or over aspects of the service’s protocol, and the existence of an ongoing business relationship between themselves and users, even if this is exercised through a smart contract or in some cases voting protocols”.

As a result, if a DeFi service is considered a VASP after being examined, it will have to comply with AML obligations.

How businesses can prepare: Company-wide AML programs can be developed ahead of time. This includes hiring a compliance officer, drafting internal policies, implementing KYC tools and transactions monitoring, as well as evaluating client risk profiles.

2. Stablecoins may fall under AML/CFT regulations

Who is affected: Providers of stablecoin-related services (stablecoin arrangements).

Old guidance: Stablecoins weren’t covered by FATF Recommendations or the previous version of the guidance. Still, in a June 2020 report to the G20 on so-called stablecoins, the FATF already recommended regulating them as virtual assets or traditional financial assets.

Revised guidance: The FATF confirms that stablecoins are covered by the Standards as either a VA or a financial asset (e.g., a security) according to the same criteria used for any other kind of digital asset, depending on its exact nature and the regulatory regime in a given country.

The FATF also clarifies that stablecoin arrangements may be covered by the FATF Standards either as a FI or a VASP, if they have a governance body:

  • Such a body “consists of one or more natural or legal persons who establish or participate in the establishment of the rules governing the stablecoin arrangement <….> They may also carry out the basic functions of the stablecoin arrangement (such as managing the stabilization function) or this may be delegated to other entities. They may also manage the integration of the stablecoin into telecommunications platforms or promote adherence to common rules across the stablecoin arrangement”.
  • The definition of the governance body doesn’t refer to software code developers of stablecoin arrangements.

The governance body of stablecoin arrangement may be covered by AML obligations.

How businesses can prepare: The governance body of stablecoin arrangement should undertake ML/TF risk assessments prior to the launch or use of the stablecoin and take appropriate measures to manage and mitigate risks before launch.

3. NFTs may be virtual assets in some cases

Who is affected: NFTs which are used for payment or investment purposes.

Old guidance: There wasn’t any explanation on whether NFTs should be considered as VAs or other assets.

Revised guidance: The FATF provides a definition of NFTs and describes when they should be considered as VAs:

  1. According to the guidance, non-fungible tokens (NFT) are: “digital assets that are unique, rather than interchangeable, and that are in practice used as collectibles rather than as payment or investment instruments”.
  2. NFTs are generally not considered to be VAs under the FATF definition. However, they may fall under the VA definition “if they are used for payment or investment purposes”.

How businesses can prepare: Businesses should apply the FATF Standards to NFTs on a case-by-case basis, taking into account whether NFTs are used for payment or investment purposes. Company-wide AML programs can be developed ahead of time. This can include hiring a compliance officer, drafting internal policies, providing risk assessment and implementing KYC tools.

4. Travel Rule implementation by VASPs is clarified

Who is affected: VASPs that send and/or receive VA transfers on behalf of a customer.

Old guidance: The document listed the types of transfers for which VASPs had to comply with the FATF’s Travel Rule, meaning sender and recipient data had to be collected in the course of electronic transfer and shared with the counterpart of the transfer. This included:

  • Traditional wire transfers;
  • Transfers between a VASP and an obliged entity (another VASP or a financial institution).

The FATF suggested that the Travel Rule may have also applied to transfers between VASPs and non-regulated entities (e.g., unhosted wallets), but not to a full extent:

  • For inbound transfers, VASPs were required to obtain information about the sender and recipient from their customer;
  • For outbound transfers, VASP weren’t required to send information about their customer to the non-regulated counterpart.

The old guidance suggested that regulators could adopt a minimum threshold of USD/EUR 1000 for Travel Rule application.

Revised guidance: The FATF confirms that the Travel Rule should apply to three types of transfers involving VASPs on either side of the transfer:

  • Traditional wire transfers;
  • Transfers between a VASP and a regulated entity (another VASP or a financial institution);
  • Transfers between VASPs and non-regulated entities (e.g., unhosted wallets).

Also, the FATF confirms the Travel Rule limitations for the transfers between VASPs and non-regulated entities:

  • For inbound transfers, VASPs must obtain information about the sender and recipient from the customer;
  • For outbound transfers, VASPs must also obtain information about the sender and recipient from the customer. However, VASPs aren’t required to send the information about their customer to the non-regulated counterpart.

The revised guidance also confirms the minimum threshold of USD/EUR 1000 for the Travel Rule, which can now be adopted by jurisdictions. For VA transfers under this threshold, countries should require that VASPs collect the name of the sender and recipient as well as the VA wallet address for each, or a unique transaction reference number.

How businesses can prepare: Travel Rule compliance requirements differ depending on whether VASPs are acting on behalf of the sender or on behalf of the recipient.

VASPs acting on behalf of the sender must verify the sender and require transfer details from them. The obtained details must then be shared with the entity acting on behalf of the recipient:

  • Sender’s name;
  • Sender’s account number (or wallet address in case of VA transfer);
  • Sender’s physical address, or national identity number, or customer identification number, or client’s date and place of birth;
  • Recipient’s name;
  • Recipient’s account number (or wallet address in case of VA transfer).

The recipient’s name is not required to be verified by the sender’s VASP for accuracy.

VASPs acting on behalf of the recipient must obtain the same sender and recipient details from the entity acting on the behalf of the sender. The recipient’s VASP must verify the recipient’s name for accuracy.

The most efficient way for VASPs to comply with the Travel Rule is to find a KYC and crypto monitoring provider that additionally ensures information is shared in a secure manner compliant with data protection regulations.

Where to find out more:

Get in touch with our team to see how Sumsub’s crypto solution can help you develop a legally-equipped and customer-focused AML/KYC framework.

Share