[co-author: Michael James, Articling Student]
The rise of cryptocurrency and other virtual assets has prompted regulators and supervisors responsible for anti-money laundering rules around the world to develop new guidelines and regulations for people and businesses involved in these assets. .
The Financial Action Task Force (FATF) – the preeminent intergovernmental organization fighting against money laundering, terrorist financing and the integrity of the global financial system – recently published a thematic update of its Guidance for a risk-based approach to Virtual Assets and Asset Service Providers (updated FATF guidance)
Among other things, the updated FATF guidelines:
- adds new Virtual Asset (VA) and Virtual Asset Service Provider (VASP) definitions;
- recommends how the FATF Comprehensive Framework of Measures for Countries to Combat Money Laundering and Terrorist Financing (the FATF Recommendations) could be applied to AVs and VASPs; and
- discusses recent developments in digital assets, including stablecoins, non-fungible tokens (NFTs), decentralized finance (DeFi), and decentralized applications (DApps).
FATF member countries (including Canada and most other G20 countries) refer to FATF Recommendations when drafting their national legislation. Accordingly, individuals in the virtual asset space should be aware of the updated FATF guidance, assess its potential implications for their business, and consider what steps to take to ensure compliance, as these FATF Recommendations may become part of part of national law.
After its creation in 1989, the FATF presented its original Recommendations, which aimed to provide countries with a set of comprehensive actions to combat money laundering and, later, the financing of terrorism.
FATF Recommendations are constantly updated to address new money laundering and terrorist financing risks. For example, in 2018 the FATF amended its recommendations to clarify that they apply to financial activities involving AVs and VASPs.
The FATF has recommended that VASPs be subject to the same standards as financial institutions and designated non-financial businesses and professions in certain respects. The FATF recommends that countries:
- use a risk-based approach to VA activities or operations and VASPs;
- supervising or monitoring VASPs for the purposes of combating money laundering or the financing of terrorism;
- impose licensing or registration requirements on VASPs;
- ensure that VASPs engage in preventative measures, such as customer due diligence, record keeping and suspicious transaction reporting;
- impose penalties and other enforcement measures; and
- engage in relevant international cooperation.
The updated FATF Guidance advocates a risk-based approach to defining VAs and VASPs, and clarifies when VAs and VASPs will fall under the FATF Recommendations. It also deals specifically with stablecoins, NFTs, and DeFi.
Defining and classifying AVs
The FATF defines a VA as “a digital representation of value that can be digitally exchanged or transferred and can be used for payment or investment purposes”. Although this definition should be interpreted broadly, central bank digital currencies and “digital representations of fiat currencies, securities and other financial assets that are already covered elsewhere in the FATF Recommendations” are not considered to be AVs.
- Stable Coins
Stable coins, such as Tether and DAI, have become increasingly popular among cryptocurrency users in recent years and are less volatile than cryptocurrencies like Bitcoin and Ether because they derive their market value from an asset underlying external currency, such as gold or the US dollar.
According to the updated FATF guidelines, stablecoins are either a security or a VA, and are therefore subject to FATF recommendations. According to the FATF, stablecoins share many of the same money laundering and terrorist financing risks as other AVs “due to their potential for anonymity, global reach, and use to layer illicit funds “.
In the updated FATF guidance, the FATF also notes that the various entities involved in stablecoins agreements could be classified as VASPs, depending on their role and the terms of the particular agreement.
The FATF describes NFTs as “unique, rather than interchangeable, digital assets that are in practice used as collectibles rather than instruments of payment or investment.” NFTs are generally considered not to be AVs.
However, the FATF cautions that the characterization of an NFT depends more on the nature and function of the NFT than on the terminology or marketing terms used to describe it. NFTs can be AVs in some cases, such as when used for payment or investment purposes. The FATF therefore recommends that countries take a functional case-by-case approach to determining whether an NFT (and any other similarly evolving digital asset) is in fact a AV.
Defining and classifying VASPs
VASPs are defined by the FATF as:
“Any natural or legal person who is not otherwise covered by the Recommendations and who, as a business, carries out one or more of the following activities or operations for or on behalf of another natural or legal person:
- exchange between virtual assets and fiat currencies;
- exchange between one or more forms of virtual assets;
- transfer of virtual assets;
- safekeeping and/or administration of virtual assets or instruments enabling the control of virtual assets; and
- participation in and provision of financial services related to the offer and/or sale of a virtual asset by an issuer.
This definition excludes those who “simply provide ancillary infrastructure” such as cloud data storage providers.
The FATF says that qualifying something as a VASP will depend on the specific circumstances or context. DApps, and more specifically DeFi, are an example of this.
DApps are “software programs that run on a blockchain or similar technology”. These applications may “support other protocols, applications or digital assets and their transfer”, and may facilitate or support the transfer or exchange of AV. The term DeFi is used to categorize a DApp that offers financial services.
The updated FATF guidelines state that DeFi software per se is not a VASP. However, creators, owners, DeFi operators and others who maintain control or significant influence over DeFi agreements may fall within the scope of the VASP definition. This could be true even if other parties are involved or if parts of the process are automated (eg via smart contracts).
As with other referenced digital assets, the FATF recommends that countries take a functional approach to DeFi and any associated VASPS, and be wary of terminology and marketing.
Corresponding actions to be taken by regulators and VASPs
In addition to clarifying the definitions of AV and VASP, the updated FATF Guidance describes how the FATF Recommendations apply to regulators and VASPs. The updated FATF Guidance recommends that VASPs comply with the preventive measures described in the FATF Recommendations and sets out the corresponding obligations.
The FATF notes that VASPs and other entities involved in VA activities should apply all the preventive measures described in recommendations 10 to 21. These recommendations provide practical guidance specific to VASPs, such as:
- conduct customer due diligence for occasional VA transactions over $1,000, and how to conduct such due diligence (recommendation 10);
- put systems in place to identify and report VAs and other suspicious transactions in a timely manner; (Recommendation 20); and
- obtain, maintain and transmit required originator and beneficiary information when transferring VA over $1,000, including for transactions involving non-hosted wallets (i.e. trip”) (Recommendation 16).
The updated FATF guidelines also recommend that countries and regulators work to understand and monitor the heightened risks associated with peer-to-peer (P2P) transactions, which are transfers of VA “made without the use or involvement of a VASP or other obligated entity”. ”
To assist with this objective, the FATF lists specific P2P risk mitigation efforts that countries should consider implementing, depending on the level of money laundering and terrorist financing risk involved in P2P transfers in that specific country.
Key points to remember
- The updated FATF guidelines provide an expanded definition of AVs and VASPS, and outline how countries like Canada will draft their domestic legislation.
- Updated FATF guidance recommends that countries take a functional approach to determining how to characterize a AV or VASP. The practical use of an asset, rather than its label, will be the most determinant of its treatment.
- The FATF Recommendations encourage VASPs to comply with certain specific preventive measures to help protect the integrity of the financial system.
- Countries need to be vigilant to understand the evolving risks that match the evolving nature of digital assets.