Last month, the Financial Action Task Force (FATF), the inter-governmental body that sets global standards relating to anti-money laundering (AML) and combating the financing of terrorism (CFT), published its much anticipated guidance on how its 200+ member and observer states will have to start regulating virtual asset markets in their jurisdictions.
FATF detailed which types of virtual asset (VA) activities (a virtual asset is a representation of currency, rather than currency itself) must be regulated and the minimum requirements it expects from regulators, which far surpasses current efforts in most countries. The guidance can be used as an aid to implement existing FATF recommendations for other financial instruments.
What do the new FATF anti-money laundering regulations mean?
Long-term, this regulatory guidance will formalize AML/CFT best practices and help the cryptocurrency industry mature and achieve more mainstream adoption. In the short-term, regulators, financial institutions (FIs), and industry participants will need to further invest in mitigating the risk of money laundering in line with previous recommendations for other value transfer mechanisms.
The requirement of originator and beneficiary information to accompany every transaction removes the anonymity of digital currency, thus effectively preventing the creation of secrecy havens.
Regulators should take into account proactive, risk-based approaches to compliance.
FATF's virtual asset guidance: Key takeaways
- FATF guidance is technically non-binding, but is being treated as binding. “G-20 members have said they will apply the guidance directly. Secretary Mnuchin of the US Treasury stated recently at the FATF Plenary Session that the Interpretive Note adopted this week includes virtual asset standards that are “binding to all countries.”
- Less FATF has instructed its 200+ member and observer countries to implement the guidance and will begin evaluations within a year. While FATF recommendations went into effect as of last week, countries won't be assessed on compliance until FATF adopts revised methodology for mutual evaluations. We expect that methodology to be drafted by October, and then assessed by FATF for adoption. After adoption, countries will be assessed on the new guidance in their next mutual evaluation. Additionally, third- and fifth-year follow up reports will also be assessed for virtual asset compliance, regardless of when their next evaluation will be executed.
- Virtual Asset Service Provider definition remains broad and technology-neutral. With technology still evolving, guidance is based on the activity rather than industry terms. If you are involved in transferring value in the “chain of transactions,” you will likely fall under the definition of Virtual Asset Service Provider (VASP). It applies equally to natural persons involved in conducting this activity on behalf of others.
- Automated transaction monitoring and customer risk scoring are essential components of an effective AML program.FATF acknowledges that automation is the only realistic way to monitor fiat currency (government-issued currency without intrinsic value that is not representative) and VA transactions at scale.
- Fewer bottlenecks. When teams work on multiple projects, the results are wasted time and inefficiency. A key part of Kanban is to limit the amount of work-in-progress (WIP) items at any given time. Work-in-progress limits highlight bottlenecks and backups in the team's process due to lack of focus, people, or skill sets.
- Recommendation 16 (formerly INR 15-7(b)), which mirrors the "Travel Rule" in the U.S., requires VASPs to send originator and beneficiary information to other VASPs or FIs party to transactions over 1,000 EUR/USD.There is a substantial technical obstacle to implement the “secure” and “immediate” transfer of information to other obliged entities.
- Countries need to regulate and monitor VA activity.A competent authority needs to register / license VASPs. Financial Intelligence Units (FIUs) need to modernize their Suspicious Transaction Report (STR) forms, have competency to do further investigations, and have a regime to freeze and seize accounts when necessary.
- Financial institutions must not de-risk VASPs or customers active in VA activities.Financial institutions, including retail and corporate banks, should instead apply the risk-based approach and find ways to mitigate risks associated to VA activities.
- VASPs need to have customer due diligence (CDD) and enhanced due diligence (EDD) procedures in place, and include that information in their reporting. Regulators must be able to receive and investigate Suspicious Activity Reports generated from FIs and VASPs from their compliance efforts.
- Anti-money laundering compliance needs to be consistent with local privacy laws. When teams work on multiple projects, the results are wasted time and inefficiency. A key part of Kanban is to limit the amount of work-in-progress (WIP) items at any given time. Work-in-progress limits highlight bottlenecks and backups in the team's process due to lack of focus, people, or skill sets.
- Anonymity enhancing cryptocurrencies (AECs) were highlighted for higher AML risk. Expect greater attention from both regulators and financial institutions on AECs. VASPs that “cannot mitigate the risk for AECs should not list them.”
- Not all decentralized exchanges (DEXs), and decentralized applications (DApps) are equal. Guidance leaves room for truly decentralized exchanges and applications with no natural person connected to them to be excluded. However, many will not meet this bar.
- International information sharing is a major factor in mitigating risk of money laundering.International coordination efforts to reduce regulatory arbitrage and speed up information sharing on suspicious activity is necessary to mitigate risk when payments move across borders seamlessly and instantaneously.
What's next in digital currency regulation?
Regulation by jurisdiction
Each of FATF’s member and observer states will now leverage its guidance as a framework for developing or augmenting their own regulations for their individual jurisdictions.
In some jurisdictions, like the United States, where regulations are already well-established and similar to FATF’s guidance, we expect to see stricter enforcement.
In fact, FinCEN recently issued interpretive guidance that builds on their 2013 guidance to clarify the application of existing regulations to the sector.
Countries like South Africa and Chile, where cryptocurrency regulation has not been formally rolled out, may issue new regulations before FATF conducts its mutual evaluations of those countries in the coming months.
Financial system compliance and FATF's mutual evaluations:
FATF conducts peer reviews of each member on an ongoing basis to assess levels of implementation of the FATF Recommendations, providing an in-depth description and analysis of each country’s system for preventing criminal abuse of the financial system.
The first evaluation will be conducted in October in Japan. Japan will likely not be measured on this guidance in their next evaluation, but countries should take a proactive approach in modifying or introducing their cryptocurrency regulations prior to their onsite evaluations.
Following Japan, the Slovak Republic, Vietnam, Georgia, Chile, New Zealand, and Egypt will be evaluated in the near future.
What VASPs should do now
Despite current technical challenges to complying with Recommendation 16, regulators take into account proactive, risk-based approaches to compliance. If they aren’t already, exchanges should:
- Develop risk-based programs tailored for your organization’s particular business, even if the details in your local jurisdiction will be determined in coming months
- Implement know your customer (KYC) and enhanced due diligence processes.
- Implement a transaction monitoring solution and customer risk scoring
- Implement dynamic systems to ensure compliance with sanctions laws
- Establish clear communication with customers about prohibited activities
- File detailed suspicious transaction reports (STRs) where possible with your local financial intelligence unit (FIU)
- Explore options to implement information sharing as per Recommendation 16