Financial Action Task Force Guidance Regarding Digital Asset Exchanges, ICOs, DApps, Wallets and More

1. The Requirements include the following:

a. Recommendation 15 on New Technologies (Recommendation 15), which is one of 40 FATF Recommendations (Recommendations) for AML/CTF programs for countries and financial institutions (updated in October 2018 to expressly reference virtual assets).

b. Definitions of “virtual asset” and “virtual asset service providers” (VASPs) (also originally promulgated in October 2018).

c. A new Interpretive Note to Recommendation 15 (Interpretation) explaining how Recommendation 15 applies to virtual assets, the risk-based approach that countries should take regarding virtual assets and a summary of licensing, supervisory, monitoring and cooperation requirements to be implemented.² 

The Requirements are considered binding on FATF members but are not binding on any individual or entity engaging in activities with virtual currencies. Rather, each country will need to assess Recommendation 15, the Interpretation and glossary terms and determine how to implement them through law, regulation and guidance in their own jurisdiction. Failure to implement the Requirements can lead to a country receiving low ratings in FATF’s peer review process. Too many low ratings result in inclusion on FATF’s list of countries whose AML/CTF measures are deficient. The ratings and lists are public, and inclusion of a country on a list of deficient countries can lead to counterparties in other jurisdictions subjecting individuals and entities from the deficient countries to enhanced due diligence measures and ultimately a prohibition of financial transactions.³

2. The Guidance explains the application of the Requirements and several other FATF Recommendations to member countries and commercial entities that engage in virtual asset activities, including digital asset exchanges, decentralized (distributed) applications (DApps), blockchain technology companies, wallet providers and gaming companies.⁴ The Guidance is not binding and does not overrule the purview of national authorities, including on their assessment and categorization of virtual assets and VASPs and the ML/TF risks.⁵

The Release is designed to reflect the evolution of virtual assets since FATF’s 2015 virtual asset guidance, including initial coin offerings (ICOs), decentralized exchanges and products and services that may reduce the transparency of financial flows.⁶ Much of the substance may appear familiar to U.S. market participants because it is similar to the recent Financial Crimes Enforcement Network (FinCEN) guidance regarding application of the Bank Secrecy Act to certain business models involving convertible virtual currencies.⁷

The Requirements and Guidance

Definitions and Scope

The Requirements define a virtual asset as a digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes. Virtual assets do not include digital representations of fiat currencies, securities and other financial assets that are covered elsewhere in the FATF Recommendations. The Guidance explains that FATF intends for the Requirements to be technology-neutral, and therefore the Requirements do not exempt specific assets that may be defined differently across jurisdictions, such as utility tokens. FATF recommends flexibility in regulating virtual assets and virtual asset activities, which involve a range of products and services in a rapidly evolving space.

The Requirements also clarify that the specific discussion of the coverage of virtual assets and VASPs is not intended to be exclusive of the application of the other more general provisions of the FATF Recommendations; countries should consider virtual assets as “property,” “proceeds,” “funds,” “funds or other assets” or other “corresponding value” for the purposes of applying each of the FATF Recommendations. Furthermore, countries should apply the relevant measures under all of the FATF Recommendations to virtual assets and VASPs.⁸

A VASP is defined as any natural or legal person who is not covered elsewhere under the Recommendations, and as a business conducts one or more of the following activities or operations for or on behalf of another natural or legal person: (i) exchange between virtual assets and fiat currencies, (ii) exchange between one or more forms of virtual assets, (iii) transfer of virtual assets, (iv) safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets, and (v) participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset. In the context of virtual assets, transfer means to conduct a transaction on behalf of another natural or legal person that moves a virtual asset from one virtual asset address or account to another.

The Guidance provides analysis of the definition of VASP, including in the context of custody, rewards programs, DApps, and peer-to-peer platforms. Although not explicitly listed, it is possible that FATF would consider the definition of VASP to cover token lending activities. They note that some items that on their face do not appear to constitute virtual assets may in fact be virtual assets that enable the transfer or exchange of value or facilitate ML/TF (money laundering and terrorist financing). FATF gives the example of gaming tokens that can be used to obfuscate transaction flows between an in-game token and its exchange for a virtual asset. They also cite secondary markets that exist in both the securities and commodities sectors for goods and services that are fungible, are transferable, and can store and accrue value.

The Guidance explains that safekeeping and administration services under the definition of VASP include persons who have exclusive or independent control of the private key associated with virtual assets belonging to another person or exclusive and independent control of smart contracts to which they are not a party that involve virtual assets belonging to another person.

The discussion of DApps is similar to the recent FinCEN guidance and cites the U.S. Securities and Exchange Commission’s report on the DAO, a decentralized autonomous organization, for an explanation of a DApp.⁹ FATF takes the position that a DApp and its “owners or operators” may fall under the definition of a VASP, without elaborating on who might be considered such an “owner or operator.” Furthermore, as under the FinCEN Guidance, a DApp developer who engages as a business in facilitating the exchange or transfer of value (either virtual assets or fiat currency) may be a VASP.

FATF excludes from the definitions of virtual assets and VASPs certain “closed-loop” activities. This includes closed-loop items that are nontransferable, nonexchangeable and nonfungible, specifically referencing airline miles, credit card awards and loyalty programs points that cannot be sold on the secondary market.

Transaction Thresholds

The Interpretation sets the threshold for occasional transactions above which VASPs are required to conduct customer due diligence at USD EUR 1,000. It is important to note that this is a threshold only for “occasional” transactions and not a complete exemption for transactions under the specified amount.

Risk-Based Approach

The Requirements explain that countries should identify, assess and understand the risks of virtual asset activities, new products, new business practices and new technologies and apply a risk-based approach to ensure that measures to prevent or mitigate ML/TF are commensurate with the risks identified. Importantly, the Guidance clarifies that while virtual asset activities may serve as another mechanism for the illegal transfer of value or funds, countries should not necessarily categorize VASPs or virtual asset activities as inherently high ML/TF risks. The Guidance identifies sectors that may be vulnerable to ML/TF; however, the overall risk should be determined through an assessment of the sector at a national level. Different entities within a sector may pose a higher or lower risk depending on a variety of factors, including products, services, customers, geography and the strength of the entity’s compliance program. Furthermore, the extent and quality of a country’s regulatory and supervisory framework, as well as its risk-based controls and mitigation measures by VASPs influence the risks associated with virtual asset activity in a given country.

FATF has determined that financial institutions should conduct a risk assessment and take appropriate measures to manage and mitigate risks prior to the launch of new products, new business practices or the use of new technologies. In an apparent effort to avoid the prospect of indirectly choking VASP access to the traditional banking sector, the Guidance also emphasizes that it is important that financial institutions apply the risk-based approach properly and do not resort to the wholesale termination or exclusion of customer relationships within the VASP sector without a proper risk assessment.

Licensing, Supervision and Monitoring

To manage and mitigate the risks emerging from virtual assets, countries should ensure that virtual asset service providers are regulated for AML/CTF purposes, and licensed or registered and subject to effective systems for monitoring and ensuring compliance with the relevant measures called for in the FATF Recommendations. The Requirements explain that VASPs should be required to be licensed or registered in the jurisdiction where they are created and where a VASP business is located. Jurisdictions may also require licensing or registration of VASPs that offer products or services in or conduct operations from that jurisdiction. For entities doing cross-border business, this creates the prospect of complying with multiple licensing regimes around the world. However, countries need not impose a separate licensing or registration system on individuals or entities already subject to the full range of applicable obligations under the FATF Recommendations. 
Similar to FinCEN’s money services business licensing requirements, the Requirements state that authorities should take measures to prevent criminals or their associates from owning or controlling VASPs. Furthermore, similar to the FinCEN money services business ongoing compliance requirements, the Requirements explain that countries should ensure that VASPs are subject to adequate regulation and supervision or monitoring for AML/CTF that is risk-based.

Information Gathering and Cooperation

The most operationally significant elements of the FATF Release, the Requirements apply the requirements of Recommendation 16, Wire Transfers, to virtual assets, including freezing and prohibiting transactions with sanctioned persons and entities. Similar to FinCEN’s recent guidance that the Funds Travel Rule and Funds Transfer Rule apply to certain transactions in convertible virtual currency, FATF has determined that countries should ensure that originating VASPs obtain and hold certain information regarding originators and beneficiaries of virtual asset transfers, submit the information to the beneficiary VASP or financial institution (if any) immediately and securely and make this information available on request to appropriate authorities.¹⁰ In the Guidance, FATF stresses that it is “vital” that countries ensure that virtual asset transfer providers transmit originator and beneficiary information immediately and securely, particularly given the rapid and cross-border nature of VA transfers. The information can be submitted either directly or indirectly and it is not necessary for the information to be attached directly to virtual asset transfers. While this flexibility is a concession to the industry in recognition of the challenge this requirement poses for existing blockchain protocols, it remains a significant issue for the industry. Authorities are encouraged to cooperate and exchange information on VASPs in order to stop ML/TF.

FATF explains that VASPs and financial institutions are not expected to submit information to individual users who are not required to be licensed or supervised. However, VASPs receiving a virtual asset transfer from an entity that is not a VASP or other obliged entity must obtain the required originator information from their own customer. Furthermore, FATF explains that countries may permit regulated VASPs and financial institutions to rely on a regulated entity that is supervised and monitored for AML/CTF to introduce business and perform part of the customer due diligence process, consistent with Recommendation 17 and U.S. law. Although the Guidance does not specifically address the use of unregulated entities as service provider in support of such processes, such arrangements are common in the United States and presumably were not intended to be precluded by the Recommendation.  

Conclusion

The FATF Release provides a window into how countries around the world are expected to regulate virtual assets and virtual asset activity. Although it will likely take years for countries to implement the Release via binding legal requirements, it is clear that more regulation is on the way. Individuals and businesses involved in virtual assets should consider the effect that these rules may have on their virtual asset activities and how they may be able to provide technical information and guidance to local lawmakers and regulators as they shape local law. In particular, virtual asset market actors should keep in mind the following:

1. Although similar in many ways to the recent FinCEN guidance, the implementation of the Interpretation and related Guidance would expand that model globally.
2. Virtual asset platforms that were not previously regulated may soon be required to register as VASPs in the jurisdictions in which they are incorporated and do business.
3. Licensing and compliance requirements can be lengthy and expensive. Those engaging in virtual asset activities should start planning now for how they will comply in each country in which they have users and other operations.