Written By Simon Grant, Nathan Shaheen, Alex Payne, Shaan Tolani and Michael James
The rise of cryptocurrency and other virtual assets has pushed regulatory and supervisory bodies responsible for anti-money-laundering rules around the world to develop new guidance and regulations for persons and businesses involved with such assets.
The Financial Action Task Force (FATF)—the pre-eminent intergovernmental organization that addresses money laundering, terrorist financing, and the integrity of the global financial system—recently released a topical update to its Guidance for a Risk Based Approach to Virtual Assets and Virtual Asset Service Providers (Updated FATF Guidance)
Among other things, the Updated FATF Guidance:
- adds new definitions of virtual asset (VA) and virtual asset service provider (VASP);
- recommends how FATF’s comprehensive framework of measures for countries to combat money laundering and terrorist financing (the FATF Recommendations) could be applied to VAs and VASPs; and
- addresses recent developments in digital assets, including stablecoins, non-fungible tokens (NFTs), decentralized finance (DeFi) and decentralized applications (DApps).
FATF member countries (including Canada and most other G20 nations) refer to FATF’s recommendations when drafting domestic law. Accordingly, persons in the virtual asset space should be aware of the Updated FATF Guidance, assess its potential implications for their business and consider what measures ought to be taken to ensure compliance, as these FATF Recommendations may become part of domestic law.
Following its creation in 1989, FATF introduced its original Recommendations, which were intended to provide countries a set of comprehensive actions to combat money laundering and, later, terrorist financing.
The FATF Recommendations are consistently updated to address new money laundering and terrorist financing risks. For example, in 2018, FATF amended its recommendations to clarify that they apply to financial activities involving VAs and VASPs.
FATF has recommended that VASPs be held to the same standard as financial institutions and designated non-financial businesses and professions in certain respects. FATF recommends that countries:
- employ a risk-based approach to VA activities or operations and VASPs;
- supervise or monitor VASPs for anti-money laundering or counter terrorist financing purposes;
- impose licensing or registration requirements on VASPs;
- ensure VASPs engage in preventive measures, such as customer due diligence, recordkeeping and suspicious transaction reporting;
- impose sanctions and other enforcement measures; and
- engage in relevant international co-operation.
The Updated FATF Guidance advocates for a risk-based approach to the definition of VAs and VASPs, and clarifies when VAs and VASPs will fall within the FATF Recommendations. It also specifically addresses stablecoins, NFTs and DeFi.
Defining and Classifying VAs
FATF defines a VA as “a digital representation of value that can be digitally traded or transferred and can be used for payment or investment purposes.” While this definition should be interpreted broadly, central bank digital currencies and “digital representations of fiat currencies, securities and other financial assets that are already covered elsewhere in the FATF Recommendations” are considered not to be VAs.
Stablecoins, such as Tether and DAI, have become increasingly popular among cryptocurrency users in recent years, and are less volatile than cryptocurrencies like Bitcoin and Ether as they derive their market value from some underlying external asset, such as gold or the U.S. dollar.
According to the Updated FATF Guidance, stablecoins are either a security or a VA, and are therefore subject to the FATF Recommendations. According to FATF, stablecoins share many of the same money laundering and terrorist financing risks as other VAs “because of their potential for anonymity, global reach and use to layer illicit funds.”
In the Updated FATF Guidance, FATF also notes that the various entities involved in stablecoin arrangements could be classified as VASPs, depending on their role and the terms of the particular arrangement.
FATF describes NFTs as “digital assets that are unique, rather than interchangeable, and that are in practice used as collectibles rather than as payment or investment instruments.” NFTs are generally considered not to be VAs.
However, FATF cautions that the characterization of an NFT depends more on the nature and function of the NFT, rather than the terminology or marketing terms used to describe it. NFTs may be VAs in some cases, such as when they are used for payment or investment purposes. FATF therefore recommends that countries take a functional, case-by-case approach to determine whether an NFT (and any other similarly evolving digital asset) is in fact a VA.
Defining and Classifying VASPs
VASPs are defined by FATF as:
“Any natural or legal person who is not covered elsewhere under the Recommendations, and as a business conducts one or more of the following activities or operations for or on behalf of another natural or legal person:
- exchange between virtual assets and fiat currencies;
- exchange between one or more forms of virtual assets;
- transfer of virtual assets;
- safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and
- participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.”
This definition excludes those who “merely provide ancillary infrastructure” such as cloud data storage providers.
FATF says that whether something qualifies as a VASP will depend on the specific circumstances or context. DApps, and more specifically DeFi, are one such example.
DApps are “software programs that operate on a blockchain or similar technology.” These applications may “support other protocols, applications, or digital assets and their transfer,” and can facilitate or support the transfer or exchange of VAs. The term DeFi is used to categorize a DApp that offers financial services.
The Updated FATF Guidance says that DeFi software in itself is not a VASP. However, DeFi creators, owners, operators and others who maintain control or significant influence over DeFi arrangements may fall within the scope of the VASP definition. This could hold true even if other parties are involved or parts of the process are automated (such as through smart contracts).
As with the other digital assets referenced, FATF recommends that countries take a functional approach to DeFi and any associated VASPS, and to be wary of terminology and marketing.
Corresponding Measures for Regulators and VASPs to Take
In addition to clarifying the definitions of VA and VASP, the Updated FATF Guidance outlines how the FATF Recommendations apply to regulators and VASPs. The Updated FATF Guidance recommends that VASPs comply with the preventive measures described in the FATF Recommendations and outlines corresponding obligations.
FATF notes that VASPs and other entities involved in VA activities should apply all the preventive measures described in Recommendations 10 to 21. These Recommendations provide specific, practical guidance to VASPs, such as:
- conducting customer due diligence for occasional VA transactions over US$1000, and how to conduct such diligence (Recommendation 10);
- putting systems in place to identify and report suspicious VA and other transactions in a timely manner; (Recommendation 20); and
- obtaining, holding, and transmitting required originator and beneficiary information, when conducting VA transfers over US$1000—including for transactions involving unhosted wallets (i.e., the “travel rule”) (Recommendation 16).
The Updated FATF Guidance also recommends that countries and regulators aim to understand and monitor the heightened risks associated with peer-to-peer (P2P) transactions, which are transfers of VAs “conducted without the use or involvement of a VASP or other obliged entity.”
To assist in this goal, FATF lists specific P2P risk mitigation efforts for countries to consider implementing, depending on the level of money laundering and terrorist financing risk involved with P2P transfers in that specific country.
- The Updated FATF Guidance provides an expansive definition of VAs and VASPS, and provides insight on how countries like Canada will draft domestic legislation.
- The Updated FATF Guidance recommends that countries take a functional approach to determining how to characterize a VA or VASP. An asset’s practical use, rather than its label, will be most determinative of its treatment.
- FATF’s Recommendations encourage VASPs to comply with certain specific preventative measures to help protect the integrity of the financial system.
- Countries must be vigilant in understanding the evolving risks that correspond with the evolving nature of digital assets.
If you have any questions about the information in this blog post or are in need of legal counsel regarding securities or economic crime related issues, please contact a member of the Bennett Jones Fraud Law Group or Financial Services Group.