Editorial

FATF’s new virtual asset service provider standards: an important first step

In its 30th year, the Financial Action Task Force (FATF) adopted new standards to address the growing integrity risks posed by virtual assets. The set of virtual asset service provider (VASP) standards, complemented by an extensive guidance note on a risk-based approach to VASPs and virtual assets[1], is an important milestone in the regulation of this new type of asset.

Crypto assets such as Bitcoin and the distributed ledger technology underpinning them have captured the imagination of those who wish to disrupt traditional financial services. These assets and technologies have also secured significant investments. Determining the best approach to ensure that their potential can be harnessed while mitigating the risks they pose has proved challenging. National regulators opted for different approaches ranging from outright banning to adopting a wait-and-see approach. The challenges even extend to classifying the nature of these assets. While those such as Bitcoin and Ethereum are generally known as “crypto-currencies”, many regulators increasingly prefer to classify them simply as crypto or virtual asset, arguing, among others, that they fail to display price stability and trust associated with money and currency[2].

The steps taken by FATF, the first international financial standard-setter to adopt specific standards in relation to these new assets, are welcomed, as they constitute an important first step towards a global regulatory virtual asset approach. This, in turn, may provide a much firmer basis for trust in and usage of these assets. Trust has been undermined by the significant scandals involving virtual assets. These include the hacking of and theft from exchanges such as Mt. Gox and Coincheck, money launderers and terrorist financiers abusing lax customer due diligence controls and frauds involving initial coin offerings, a largely unregulated means of raising funds for a new project by selling “crypto-currency” coins or tokens to investors[3].

While FATF’s interest in these assets reach back to its 2014 guidance on virtual currencies, the new standards were triggered by the G20’s concern about the rising levels of criminal abuse of virtual assets. In July 2018, they requested FATF to clarify how its standards apply to these assets[4].

In response, FATF launched a work stream focused on virtual assets, defined, for their purposes, as “a digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes. Virtual assets do not include digital representations of fiat currencies, securities and other financial assets that are already covered elsewhere in the FATF Recommendations”. This definition includes, but is not confined to, so-called crypto currencies.

The new VASP standards were adopted to ensure that providers of virtual asset services are subject to anti-money laundering and combating of financing of terrorism (AML/CFT) measures equivalent to those applying to money or value transfer services. The standards, set out in Recommendation 15 and detailed in its interpretative note, require countries to ensure that VASPs are regulated for AML/CFT purposes, licensed or registered and subject to effective systems for monitoring and ensuring compliance with the measures called for in the FATF standards. The requirements include the following:

• identifying, assessing and mitigating the risks posed by virtual asset activities and VASPs, implementing a proportional, risk-based approach;

• ensuring that VASPs are subject to adequate regulation and supervision or monitoring for AML/CFT by a competent authority that also has the authority to conduct inspections, compel the production of information and impose a range of sanctions, including the power to withdraw, restrict or suspend a non-compliant VASP’s license or registration;

• ensuring that there is a range of effective, proportionate and dissuasive sanctions, whether criminal, civil or administrative, that could be applied to VASPs and their directors and senior management, when compliance failures occur;

• requiring VASPs to conduct customer due diligence measures, although countries may exempt occasional transactions involving less than USD/EUR1,000; and

• Ensuring that originating VASPs obtain and hold verified originator and required beneficiary information on virtual asset transfers and submit that information to the beneficiary VASP or financial institution (if any) immediately and securely.

It is important to note that the measures are confined to transactions facilitated by VASPs. Non-VASP transactions, for example, person-to-person transfers, are not directly covered by the FATF measures. Indirectly, however, the measures may have some impact on such transfer activity. The money laundering and terrorist financing risks of these unregulated transactions will be high, and the financial institutions that serve the parties to those transactions can be expected to pay close attention to such activity, for example, when virtual assets are exchanged for fiat currency. Regulated institutions may even restrict or refuse services to customers who engage in unregulated and non-transparent virtual asset transactions.

The new measures provide important elements of framework for the development of a more consistent and comprehensive global regulatory approach to virtual assets. There are, however, still many challenges that will need to be addressed before such an approach can be realised. These include the fact that the focus of the FATF VASP measures are restricted to its integrity mandate. Compliance with these measures will limit the risk of money laundering and terrorist financing abuse of virtual assets, but the measures are not designed to protect investors against theft and fraud, increased consumer protection or generally increased stability of the virtual asset market. Some wider positive impact may flow from compliance with AML/CFT measures, but these will be largely incidental. Other global financial standard-setters will therefore need to take similar action and clarify the application of their standards to virtual assets to the extent that they and the related activities fall within their mandates.

Countries will also be wrestling with regulatory questions, including where best to locate the regulatory and supervisory responsibility for VASPs. Would it be best to assign the supervisory responsibility to one of the existing financial supervisory bodies, and, if so, which one would be best suited to the task? Should it, for example, be given the securities regulator, the payments regulator or the AML/CFT regulator, if the country has a single integrity regulator? Alternatively, should the responsibility be divided among two or more existing supervisors or would it be best to set up a new supervisory body? How will appropriate supervisory capacity, especially appropriate fintech and regtech expertise, be ensured? This is a very real challenge for smaller jurisdictions. Based on their risk assessments, some jurisdictions may therefore prefer to prohibit VASPs and virtual asset activities. While this option is allowed by the FATF, these countries will still need to have sufficient capacity to identify, assess and manage related risks, especially related to cross-border transactions and to provide appropriate international cooperation where necessary[5].

The virtual asset industry, on the other hand, will be grappling with the practical implications of compliance with the new FATF-compliant national regulations that will be adopted. FATF consulted with the industry about the impact of the standards, including the proposed travel rule, i.e. the requirement for originator and beneficiary information to accompany or follow virtual asset transfers. The consultation formed a part of the 2019 FATF Private Sector Consultative Forum in May 2019 at the United Nations Office on Drugs and Crime Headquarters in Vienna. A number of private sector representatives at that meeting had difficulty understanding the nature of FATF and viewed it as an opportunity to lobby or pressure the FATF to refrain from adopting VASP standards. A key concern was the absence of technological solutions to implement the travel rule. The rule was initially formulated for the money transfer industry, where payments generally flow between banks via SWIFT. That measure of centralisation is often absent in virtual asset models. Fortunately, key VASPs were prepared to embrace this challenge and step up at the Vienna meeting to take the lead to work jointly towards an appropriate global solution.

The adoption of the new FATF standards is therefore an important step, though only a first step in the new regulatory journey. Much has to be decided and implemented at a public level, an industry level and at institutional levels to give effect to the new measures. Even then, they will only provide partial solutions to the many challenges raised by virtual assets.

As a result, FATF committed to a 12-month review of countries’ and providers’ implementation of the measures. In June 2020, the FATF will report on the implementation of the new standards by countries and also on the progress made by VASPs to develop technology solutions that would enable them to securely submit originator and beneficiary information when conducting virtual asset transfers. Consideration will also be given to the need to update any of the standards to ensure that the FATF standards remain relevant and effective.

FATF must be lauded for adopting the new standards. The challenge of securing sufficient global consensus about appropriate integrity standards for new technologies should not be underestimated. Countries, industries and providers are now challenged to respond. This challenge extends to AML/CFT scholars and experts. They now have an important opportunity to study the new measures, participate in debates about their implementation, assess their impact and inform the 2019–2020 FATF review.