FATF releases 2019 guidance on virtual assets

This post was written by Urszula McCormack, Leonie Tear and Nikita Ajwani.

Virtual asset adoption within traditional finance can only occur with clear regulation.  A major piece of this puzzle is anti-money laundering and counter-terrorist financing (“AML/CTF”) obligations.  Without clear rules, many banks struggle to open accounts for blockchain businesses.  It’s also far more challenging for blockchain businesses themselves to create strong policies.

The global standard-setter for AML/CTF has just issued its long-awaited guidance on the subject.  This post outlines the key points.

Background

On 22 February 2019, the Financial Action Task Force (“FATF”) issued a draft Interpretive Note (“IN”) to Recommendation 15[1], setting out implementation requirements for effective regulation, supervision and monitoring of virtual asset service providers (“VASPs”). 

The IN is largely final and expected to be formally adopted as part of the FATF Standards in June 2019. The exception to this relates to wire transfer requirements, the most controversial, with further consultation to be undertaken in May 2019.  There is also a final call for comments generally by 8 April 2019.  We are pleased to be working with industry on feedback.

Key provisions of the Interpretative Note

We provide a short summary of the key provisions in the draft IN, together with our preliminary comments:

  • Virtual assets are “something” and FATF Recommendations must be applied – Countries are required to consider virtual assets to be “property”, “proceeds”, “funds”, “other assets”, or other “corresponding value”.  The relevant measures under FATF Recommendations should be applied to virtual assets as well as VASPs.

Our view: The classification of assets remains very flexible. Virtual assets would generally fall within one of these classes in most jurisdictions – this just helps put the question beyond doubt. However, the application of the FATF Recommendations needs a highly calibrated approach to implementation, especially given the diversity of virtual assets and VASPs out there.

  • The risk-based approach remains key – In identifying, assessing and understanding the money laundering and terrorist financing (“ML/TF”) risks emerging from virtual asset activities and operations of VASPs, countries should apply a risk-based approach (“RBA”), ensuring that preventative measures are proportionate with the risks identified.  Countries must also require VASPs to mitigate any ML/TF risks themselves.

Our view: The RBA is critical to AML/CTF. Every virtual asset is different, as is each VASP business. It is pleasing to see the RBA formally recognised for virtual assets – without it, resources cannot be allocated appropriately and the risk of financial exclusion is greatly exacerbated. It will be important for VASPs to assist in defining AML/CTF risk related to different products / services to avoid a blanket assertion by national regulators (and individual institutions) that all VASPs and products are high risk.

  • VASPs must be licensed or registered – VASPs are required to be licensed or registered in the jurisdiction where they are created; or where VASPs are natural persons, to be licensed or registered in the jurisdiction where their business is located.  Jurisdictions may also require VASPs to acquire a license in the jurisdiction where they offer products and/or services to customers in, or conduct operation from, their jurisdiction. 

Our view:  As we reported late last year, this reflects the recommendation released in October 2018, which was largely welcomed by the industry.  Regulation at least for AML/CTF is also a minimum standard of jurisdictions that have already started regulating the sector, such as Australia, Malta, Bermuda and Gibraltar, with many more in the pipeline.

  • Overlapping regulation should be avoided – Where a natural or legal person is already licensed or registered as a financial institution under the FATF Recommendations, which permits VASP activities and applies a range of necessary obligations, countries will not be required to impose a separate licensing or registration system.

Our view:  This makes perfect sense.  In practice, however, there may well be a tussle to identify the correct regulator(s) and how to deal with overlap.  This is well-worn territory in many jurisdictions – for example, Hong Kong’s Securities and Futures Commission registers banks and their staff for certain regulated activities, but the primary regulator remains the Hong Kong Monetary Authority.  With any luck, pragmatism will prevail.

  • Regulating, supervising and monitoring VASPs is required – Countries are required to ensure that VASPs are subject to adequate AML/CTF regulation, supervision and monitoring. The supervisory authority should not be self-regulated and should have adequate powers to:
    • conduct inspections;
    • compel production of information; and
    • impose disciplinary and financial sanctions, including the power to withdraw, restrict, or suspend a VASP’s licence or registration.

Our view:  Any regulator – new or longstanding – will need to “skill up”.  This is a materially new asset class with its own distinct features, platforms and risks.  The sheer variety of distributed ledgers, assets and VASPs will require the injection of new knowledge and additional resource.  The rapid development of this sector also requires this knowledge and resource to be dynamic.  See also our comments on point #4.

  • There must be penalties for non-compliance – In line with Recommendation 35, countries should ensure that there is effective, proportionate and dissuasive sanctions available to deal with VASPs that fail to comply with AML/CTF requirements.  These criminal, civil, and/or administrative sanctions must also be applicable to directors and senior management of non-compliant entities.

Our view:  Without penalties, regulation is undoubtedly meaningless.  However, the nature of VASPs, many of which operate internationally, and some of which have decentralised features, will present new challenges in enforcement. 

  • Preventative measures must be undertaken – Recommendations 10 to 21 apply to VASPs. This means that VASPs must, amongst other measures:
    • apply customer due diligence (“CDD”) before establishing a business relationship, carrying out an occasional transaction or where suspicion or doubt arises.  The IN states that the occasional transactions designated threshold above which VASPs are required to conduct CDD is USD/EUR 1,000.  This is therefore a stricter requirement than the general rule of USD/EUR 15,000 that applies under Recommendation 10;
    • maintain adequate CDD and transactional records and for at least 5 years; and
    • have controls in place to address the heightened risk of customers who are politically exposed persons (“PEP”), including identifying the PEP status and applying enhanced due diligence (“EDD”).

Our view:  There are several specifics that are being worked through by industry and require close attention.  At a high level, some key practical issues include (1) how and when the valuations of assets should occur (to determine the threshold for occasional transactions), particularly for volatile illiquid assets; (2) when a business relationship should be considered as having been established and whether the mere opening of an account or wallet will suffice in the absence of transactions; (3) whether distributed ledger records can satisfy at least some of the record-keeping requirements; and (4) what EDD will mean in practice, particularly in relation to “source of funds” and chain analytics.

  • Transfers may need to meet wire transfer obligations – The IN specifies that in relation to Recommendation 16 regarding wire transfers, countries should ensure that originating VASPs:
    • obtain and hold required and accurate originator information and beneficiary information on virtual asset transfers;
    • submit the information to beneficiary VASPs and any counterparts; and
    • make the information available on request to appropriate authorities.[2]

It is not necessary for the information to be attached directly to virtual asset transfers.

Our view:  First, we recognise that this is still under consultation – and rightly so.On a positive note, the clarification that information need not be “attached” to a transfer is significant, as this is simply impossible for many virtual asset transactions. 

However, there is currently no broad-based infrastructure for sharing originator and beneficiary information in an efficient manner.  As a result, implementation will be highly dependent on innovation.   One possibility is to try to develop old technology, used by financial institutions, to address new problems.  Alternatively, and preferably, a bespoke set of controls and infrastructure, endorsed at an international level, will be developed to assist VASPs in complying with the required controls.  This type of architecture would require significant time and resource.  Even then, the risk of regulatory arbitrage is high, given that individuals are able to control wallets themselves and peer-to-peer transactions are possible.  A deeper question about whether this requirement is necessary and appropriate for all virtual assets – or whether there are better ways to mitigate risk – also remains on the table.

In any event, there will need to be practical rules about what to do when the information is not available or where grounds for suspicion arise – “stopping” or “freezing” a virtual asset transaction is different to other assets in practice. 

  • International cooperation – In accordance with Recommendations 37 to 40, countries should constructively and efficiently provide the widest possible range of international cooperation in relation to ML/TF and predicate offences relating to virtual assets.  Supervisors of VASPs should exchange relevant information promptly and constructively with their foreign counterparts.

Our view:  We wholeheartedly agree.  

Information to support implementation

Strong systems, such as chain analytics, will be essential to implement FATF’s recommendations.

Data is also key.

For example, we reported on the new frontier in sanctions – OFAC and Bitcoin and how useful data for VASPs is starting to emerge, despite the fact that regulation is being introduced before the technology to comply with it has been developed.  It will be interesting to see how the fintech community continues to rally to the call. 

One possibility is to try to develop old technology, used by financial institutions, to address new problems.  Alternatively, and preferably, a bespoke set of controls and infrastructure, endorsed at an international level, will be developed to assist VASPs in complying with the required controls.  We envisage that this will encompass the use of multi-faceted technology solutions that require interoperability via application programming interfaces (APIs).

Conclusion

Virtual assets present enormous opportunity to positively reshape our financial services sector but there is also the known risk that it opens the doors for criminal activity.  Specifically, without careful regulation, virtual assets may facilitate criminals and terrorists to launder their proceeds or finance their illicit activities.

The IN sets out requirements aimed at preventing the ML/TF risks associated with virtual assets from escalating.  However, it is evident that more guidance will be needed, at a granular level with accompanying infrastructure and technology to allow VASPs to continue to flourish and expand but with appropriate controls in place to prevent abuse by criminals.

In the meantime, we are working with banks, virtual asset exchanges, software developers and industry groups on these important developments and opportunities.

Please reach out to us if you have any questions.



[1]     FATF had amended Recommendation 15 in October 2018 to clarify how the FATF standards apply to activities or operations involving virtual assets.

[2]     Other requirements of Recommendation 16 apply on the same basis as set out in Recommendation 16.

Leave a Reply

Your email address will not be published. Required fields are marked *

8 − 7 =


This site uses Akismet to reduce spam. Learn how your comment data is processed.