Global anti-money laundering (AML) agency the Financial Action Task Force (FATF) has released its updated guidance for firms that handle cryptocurrency and virtual assets.
It appears designed to corral much of the nascent industry into the existing regulatory framework for banks.
After incorporating industry feedback from April 2021, the updated rules for so-called virtual asset service providers (VASPs), published Thursday, signals that regulation is coming for crypto firms, both centralized and decentralized.
Since 2018, the FATF has issued a series of draft papers and working group documents that sought to define VASPs and virtual assets, and also recommend how countries implement the “Travel Rule” for crypto, shorthand for the requirement that VASPs share customer data for transactions over a certain threshold.
More recently, the FATF has tried to account for transactions to and from “unhosted wallets” (generally referred to as non-custodial wallets among crypto users), and also shoehorn into its framework new areas like decentralized finance (DeFi), non-fungible tokens (NFTs) and decentralized autonomous organizations (DAOs).
“We recognize that there are a number of areas where both countries and the private sector have wanted more guidance from the FATF level about how they can implement this in practice,” said FATF policy analyst Ken Menz in an interview with CoinDesk. “I think this really shows just how fast the virtual asset ecosystem changes, and how quickly new technologies, new businesses, new models appear. I think it is a challenge for anyone to just keep on top of everything new that happens in this industry.”
While the release of FATF’s updated guidance will increase the urgency for VASPs to become compliant, there is also a recommendation that regulators be flexible during the initial rollout, acknowledging the real-world issues VASPs and Travel Rule service providers have pointed out to them.
“The FATF is basically saying that regulators can take a staged approach to enforcement of the Travel Rule so their [local] VASPs can realistically implement it,” said Pelle Braendgaard, CEO of crypto AML firm Notabene. “They are also recommending that VASPs be able to continue to do transactions with VASPs in non-compliant jurisdictions, to avoid excluding firms in the developing world, for example.”
The message from FATF is that countries have to implement these standards now, Menz stated. However, using the Travel Rule as an example, in that implementation, they might want to consider a staged or phased approach to the implementation of that.
“We recognize there is a lot of effort that goes into building the compliance tools to do this. And there may be a certain level of time that a VASP needs to invest in the necessary technologies to enable them to comply,” Menz said.
One interesting addition on the Travel Rule, buried in paragraph 291 of the updated guidance, is the possibility that a VASP could decide not to share customer data with another VASP deemed to pose a risk to that sensitive data, as pointed out by Siân Jones, the eagle-eyed senior partner at XReg Consulting.
“One thing that leaped out for me was that the updated guidance allows for alternative procedures, including not sending required user information, if a VASP believes a counterpart VASP will not handle transmitted user data securely and the AML/CFT risks are acceptable,” Jones said in an email. “In such cases, VASPs can still execute a transfer but the implication is that such risk assessments are made on a case-by-case basis and therefore could carry significant compliance burden and cost.”
It’s an open question what effect leveling the regulatory playing field will have on a sector that’s focus has been solely on innovation for the last decade.
Regulatory clarity is much needed in crypto, and the FATF’s acknowledgment that virtual assets are too big to ignore ought to boost mainstream adoption, said David Carlisle, director of policy and regulatory affairs at Elliptic.
In the meantime, FATF’s updated guidance could – perhaps counterintuitively – present the greatest opportunity for banks and larger financial institutions entering the space, according to Carlisle.
“Complying with financial regulation takes time and money, and businesses that have historically invested in compliance resources will have a significant head start,” Carlisle said. “Banks looking to enter the virtual asset space have been eager for greater regulatory clarity, and the FATF is giving them a huge boost in that regard.”
The fast-moving DeFi arena has proved to be a tricky area to set out guidance, given that the FATF standards generally apply to financial intermediaries. The guidance indicates that those who maintain “control or sufficient influence” over a DeFi arrangement should be regulated for AML purposes.
This suggests that where DeFi developers have the ability to restrict coin listings on a decentralized exchange, operate a domain that enables user access, or are otherwise able to intervene in the activities of a DeFi marketplace in a significant way - they could very well be captured by regulation, noted Elliptic’s Carlisle.
“Helpfully, the guidance clarifies that individual governance token holders shouldn’t fall within the regulatory perimeter if they don’t exercise this type of influence over activities in a particular DeFi marketplace,” he said.
Read more: Is ‘DeFi Regulation’ an Oxymoron?
The guidance sets out how the FATF standards can apply in a DeFi arrangement and encourages countries to take an expansive approach to the definition of what is a VASP, said FATF’s Menz.
“So, not to focus on the terminology, not to focus on whether something calls itself DeFi and look about what we call owner-operators of DeFi arrangements and the extent to which there’s control or sufficient influence over that protocol in determining whether it would be VASP,” said Menz, adding:
“DeFi has exploded in popularity over the last year, but I don’t think we know exactly how it’s going to evolve over the future, to what extent is it going to be incorporated into traditional finance, will protocols become decentralized or be partially decentralized?”
While the updated guidance shows a good faith effort to address concerns regarding earlier drafts, there were points that still needed to be revised, according to Travel Rule compliance provider Shyft Network, issues that were outlined in the firm’s response to FATF earlier this year.
For example, FATF’s expansive definition of VASPs creates certain inconsistencies around the concept of key signers or holders of a private key who may be involved in the signing of messages on behalf of smart contracts, particularly in the rapidly-expanding realm of DAOs.
The implication, which FATF’s updated guidance provides only a slight nuance around, is that a DAO’s key signers would be classed as being a VASP, Shyft co-founder Joseph Weinberg said in an email.
Another point of contention is FATF’s unclear distinction between development companies and open-source software developers that are individuals. “The final guidance makes minor edits around the use of the term ‘developers,’ but no further clarity is provided to distinguish between development companies and open-software developers,” Weinberg said.
Finally, the application of a bank-grade AML framework onto unhosted wallets remains a major challenge, he said. There is a recommendation from FATF that greater use of blockchain analytics must come into play, but the onus when it comes to mitigating money laundering is on VASPs.
“The final guidance does not provide any further clarity on FATF expectations when VASPs transact with unhosted wallets and in fact reinforces the idea that such virtual asset transfers should be treated as higher risk transactions that require enhanced scrutiny and limitations,” Shyft’s Weinberg said.
UPDATE (Oct. 28, 11:22 UTC): Adds comment from XReg Consulting’s Siân Jones starting in 11th paragraph.