The Financial Action Task Force (FATF)’s long-awaited update to its guidance on virtual assets lays out a comprehensive set of guidelines to regulate the quickly evolving cryptocurrency space. With this update released, digital assets firms in the coming years are likely to encounter more clarity on anti-money-laundering and combatting the financing of terrorism (AML/CFT) regulations around the globe, even if some jurisdictions do opt for more restrictive policies than others.
The intergovernmental body’s updated guidance should not surprise anyone who has been tracking regulator discussion on crypto illicit finance, but it does address topics that have faced great regulatory uncertainty, such as decentralized finance (DeFi), stablecoins and “travel rule” compliance.
Yaya J. Fanusie is a former CIA analyst and the chief strategist at Cryptocurrency AML Strategies, an advisory firm in Washington, D.C. He also is an adjunct senior fellow at the Center for a New American Security, focusing on U.S. national security and anti-money-laundering issues relating to digital assets.
What it offers is not one way of dealing with these issues, but it unpacks and defines the risks that jurisdictions must address, often providing a diversity of approaches to keep emerging digital asset developments within a solid regulatory perimeter.
Here are some key takeaways for regulators, along with practical implications for the digital asset industry.
FATF warns regulators to not blindly accept the crypto industry marketing that loosely calls various platforms “decentralized.” In function, these platforms typically have a natural, if not legal, person somewhere who controls or influences their activities. The term “controls or influences” is key and offers a framework to analyze who should be the entity obliged to follow AML/CFT regulations. In FATF’s view, almost all DeFi platforms are still Virtual Asset Service Providers (VASP). FATF offers a broad playbook for bringing DeFi platforms under regulatory oversight, including one suggestion that if a DeFi platform truly has no entity running it, a jurisdiction could order that a VASP be put in place as its obliged entity.
Implications: The rise of new DeFi platforms probably will slow in 2022. And there will likely be contentious legal battles between regulators and blockchain entrepreneurs over who “controls or influences” various DeFi protocols. It is also likely that many organizers of DeFi platforms will start accelerating attempts to become truly decentralized, such as trying to dissolve the on- and off-chain ties that specific individuals may have with platforms. DeFi platforms that operate without following AML/CFT requirements like other regulated VASPs will increasingly be seen as riskier enterprises by those VASPs. DeFi activity is not going to go away but it will probably shrink, just as the once-booming initial coin offering (ICO) phase did a few years ago.
According to FATF, there is one major factor that determines the risks from stablecoins: the potential for wide market adoption. FATF emphasizes that jurisdictions must supervise stablecoin projects before they launch and ensure that these projects have AML/CFT mitigation measures in place in the planning stage.
Implications: Launching a global stablecoin that is truly “global” is likely to get more difficult in the coming year. Regulators will likely feel more urgency to oversee stablecoin issuers and to establish rules and procedures specific to this type of cryptoasset. And although FATF focuses on AML/CFT and sanctions regulation, it seems likely that other types of financial regulators will be emboldened to assert their authority over stablecoins in their respective areas of oversight (e.g., securities regulation, consumer protection, etc.). The United States government certainly is in line with FATF’s take on stablecoins, with the Biden administration last week calling for the U.S. Congress to introduce legislation that increases regulatory oversight on stablecoin issuers.
… but VASPs can restrict users’ engagement with them, as appropriate
FATF does not recommend the outright banning of such wallets, where the private keys that control the funds are held by the user rather than an exchange or another centralized entity. Instead, it pushes regulators to pursue a risk-based approach.
The guidance acknowledges that unhosted wallets lack VASP oversight and thus bring certain risks by not having an obliged entity as an intermediary. Still, FATF explains that regulators need to study the nature and extent of the risks around unhosted wallets in their jurisdictions and manage those risks accordingly. The guidance suggests that one appropriate risk-based approach might be for VASPs to restrict or even prohibit their users from transacting with unhosted wallets. But again, policies should depend on the risk environment and VASPs should use technical tools like blockchain analysis software to counter much of the risk. There is not a one-size-fits-all approach for dealing with unhosted wallets.
Implications: Unhosted wallets have long faced some scrutiny from serious and compliant VASPs and that scrutiny is likely to increase, especially until VASPs develop formal risk-based restrictions such as transaction or volume limits between their users and unhosted wallets. FATF’s directive to study and understand the risks around unhosted wallets may be a boon to blockchain analysis firms. It also may encourage blockchain privacy advocates to double down on their support for anonymizing software. The regulated crypto space is likely to grow, but the unhosted ecosystem will remain as a niche area with significant development and innovation.
VASPs need to get on board with the travel rule already
FATF makes it clear that VASPs must comply with the travel rule and should not let perfect be the enemy of the good.
Even if the crypto industry does not have an agreed-upon compliance solution, VASPs must do what they can to record, and pass on to the next institution, the data about sender and recipient that the rule requires. There are lots of possible technologies that would do this, and FATF leaves it up to the industry to implement as appropriate.
Probably the handiest part of this update is a table with all the information that VASPs need to record and/or transmit, depending on whether the entity is the originator or beneficiary of a virtual asset transaction (see Table 1 on page 59). Also, FATF acknowledges the importance of data handling and privacy and hammers home the point that VASPs must do due diligence on counterparty VASPs before sharing travel rule-related data with them.
Implications: This should accelerate the industry’s experimentation with travel rule compliance. At the very least, some VASPs may not wait for industry-wide solutions and will probably try to create their own channels and mechanisms to comply, even if this may be an inefficient approach overall. But if there was any skepticism in the industry about the need to implement the travel rule, there’s little room for debate on it any more.
I noticed two things purposefully left out of the update that I believe are important.
One, this guidance explicitly does not relate to central bank digital currencies (CBDC). There is a good reason for this. CBDCs will likely be regulated as fiat currencies and including them under the guidance for permissionless virtual assets may complicate matters. Plus, there are only a few CBDCs that have actually launched. It would be a bit premature for FATF to address CBDCs. However, as CBDC pilots progress, they will deserve more attention by FATF. CBDCs will not proliferate without bringing new financial crime risks, as I spelled out last year in a Lawfare paper.
The other thing left out of the guidance is the risk arising from the potential of merchants widely adopting virtual assets as payments for goods and services. FATF specifies that a merchant accepting cryptocurrencies is not a VASP, but that a company that processes crypto payments on a merchant’s behalf is one. As with CBDCs, it may be premature to develop AML/CFT and sanctions guidance for the merchant crypto payments that don’t involve an intermediary payment processor. But regulators will have to give attention to this if merchant crypto payments scale up, especially if a significant number of merchants use unhosted wallets, as I discussed earlier this year in this article.