FATF revised guidance – next steps for financial institutions according to BDO

Photo by Brett Jordan from Pexels

Over the last few years, virtual assets (VA) have moved from the preserve of early adopter enthusiasts to the mainstream.   As this shift to the mainstream occurs, the decentralised nature of virtual assets, the anonymity that many of the platforms provide and the comparative lack of regulation has also proved attractive to criminals.

The Financial Action Task Force (FATF) first introduced guidance in 2018 indicating how virtual assets and virtual asset service providers (VASPs) should be regulated, supervised and how others in the AML regulated sector should manage their risks in dealing with them.

This article covers key points of the FATF guidance.  Further articles will look at the regulatory position in key jurisdictions. How are VAs and VASPs regulated?

The focus of regulation is around the perimeter of activities relating to VA rather than the virtual assets themselves.  Regulation under the FATF model is aimed at those persons (legal or natural) who by way of business carry out the exchange of fiat currency into VAs or of one type of VA to another type of VA, those who facilitate the transfer of VA, those which provide safekeeping or administrative services in respect of VA and those who participate in or provide financial services in relation to the issue or sale of a VA.

This regulatory framework still has gaps in regulation and oversight (for example peer to peer transfers), and this limitation is something that financial institutions should be alert to.

FATF recognises that the VA landscape is subject to constant rapid change.  It therefore has highlighted its three main principles in the guidance.

  • Functional equivalence and objectives-based approach

This means that countries should adapt the FATF guidance in a way which meets the objectives of the relevant Recommendation and fits the local legal system.

  • Technology neutral and future proofed

This should mean that regardless of the platform used or the technology behind the VA or VASP, the provisions should be applied.This will allow for changes in technology as well as catering for different technological models

  • Functional treatment

This element means that businesses which essentially have the same functions – that is provide the same or similar services and pose the same risks – should be regulated in the same way.This also means that VASPs which provide the same function in a transaction as a financial institution should be subject to the same regulatory framework and compliance obligations as that financial institution. Also that a business which in effect carries out the services that a VASP performs should be deemed to be a VASP.

These tests should ensure a degree of future proofing as new entrants, technologies and products come into the market.

Regulation and supervision

The guidance sets out the expected approach and standards of national risk assessment, regulation and supervision.  However, it also recognises that not all countries will move at the same pace.  This means that different jurisdictions may be at different stages in their regulatory journey, which increases the risks, particularly in relation to cross-border transactions.

Travel rule

As has been well-publicised, the guidance extends the so-called “travel rule”.  This imposes an obligation to obtain, hold and submit originator and beneficiary information in respect of VA transfers so that those involved can take appropriate action to identify suspicious transactions, screen for sanctions or other required regulatory actions. This mirrors the requirements for wire transfers of fiat currency.  However, the guidance also points out that as noted above, not all countries will implement the regulatory changes at the same time (the so-called “sunrise issue”) which means a counterparty in a jurisdiction which has implemented the requirements will have to obtain the relevant information as part of the contractual discussions if its counterparty is in a jurisdiction where these provisions are not yet law.

Additionally, since not all transactions require both parties to be a VASP or financial institution (e.g. one side could be an unhosted wallet), any contractual arrangements should ensure that the obliged entity counterparty can obtain the necessary information to meet its obligations.  If the transferor is the obliged entity, it should not be required to send this information to the transferee, but should keep it on its own files.

For transfers involving intermediate parties, each party in the chain must comply with the requirements to provide and retain the relevant information about the originator and beneficiary of the transfer.

What does the guidance mean for you?

The guidance focuses firmly on the risk-based approach.  It is for each jurisdiction to assess and understand the risks applicable to its territory.  This could relate not only to VASPs established within its jurisdiction but also those which carry out transactions within the jurisdiction.   Depending on where such VASPs are established and the maturity of the regulatory  framework in that jurisdiction,  the risks will differ and this should be reflected in national risk assessments and related guidance.

For financial institutions which engage with VASPs, the first step is also to understand the risks posed by the relationship or transaction. The guidance emphasises the importance of applying a risk-based approach in deciding whether to accept or continue a business relationship with a VASP.  Financial institutions should consider whether the risks identified can be properly mitigated or managed rather than taking a “de-risking” approach and denying services to all in the VASP sector.

Therefore, in addition to considering the “macro” risks of the sector included in any available national risk assessment or other intelligence on how and the frequency with which VASPs are used to launder money, the regulatory framework applicable to the sector and the maturity of its supervisory regime and any other general risks, financial institutions should consider the specific risks posed by the VASP seeking services, having regard to the resources, controls and knowledge that they have to manage such exposure.

How should obliged entities manage their exposure to VASPs and VAs

As noted above, financial institutions are discouraged from taking a de-risking approach and avoiding rather than managing the risks.  It will therefore be important to consider the risks applicable to the specific VASP.  The relatively recent development of VA technology and VASP businesses, combined with the complexity of blockchain and other DLT applications can mean that a business overlooks the need to apply the basic tools of economic crime risk assessment.  These basic tools, adapted to take account of specific identified risk factors, allow relevant information to be gathered and assessed and the documentation of the onboarding or continuance decision taken and the reasons for it.

  • As is always the case, there is an obligation to identify and verify the ownership and control structure and key management of the VASP.
  • What products and services does the VASP provide? Does it have exposure to tumblers or mixers or other tools which appear to be designed to facilitate anonymity or prevent tracing transactions?
  • How does the VASP itself carries out its due diligence obligations – what is the profile of its customer base, how does it verify identity and set the parameters for the normal operation of its accounts, establish the client source of funds, how does it monitor for unusual activity?
  • Are the services of the VASP being promoted in an unusual manner (e.g. in high-risk jurisdictions with which it has no clear connection).
  • What information does the financial institution have from its own operations – for example, is there any evidence that existing (or former) customer accounts suspected of criminal activity have carried out transactions of concern with this VASP?  This might raise concerns of poor controls at the VASP
  • How does the VASP conduct its business? What is the average size of its transactions and are these limited in size or geographic location?  Which is its target market segment?  Does it facilitate in any way peer to peer transactions?  Are its transactions predominantly online or is there any in person element?
  • Which jurisdictions is the VASP established or does it carry out business or engage in activity?  What is the status and maturity of the regulatory framework in those locations?  This might include consideration of where data is stored or the location of beneficial owners or other funders of the business.

Whilst these standard tools may have to be adapted to reflect the technological nature of VAs and VASPs, FATF reminds financial institutions not to lose sight of these core risk building blocks.

Ongoing monitoring

The guidance focuses more on ongoing monitoring for VASPs rather than those who transact with them, but as for client due diligence, the normal requirements apply.  This will include screening of parties to transactions, ensuring that unusual transactions are identified and reviewed as well as ensuring that the account is used in accordance with the financial institution’s understanding of the nature and purpose of the client relationship.  This would include those customers who act as intermediaries for VASPs.

Conclusion

The FATF guidance inevitably will develop over time as the sector expands and develops.  As VAs are more commonly used and become more popular, it is unlikely that financial institutions will be able to ringfence their activities from those who hold VA or are VASPs.   The FATF guidance provides the framework to manage and mitigate this risk.

Financial institutions should engage both with industry bodies, supervisors and use any existing public private partnerships to develop intelligence on actual use and misuse of VA and VASPs and adapt their approach accordingly.  Since the guidance explicitly discourages “derisking” as a strategy, a focus on understanding the risks, setting a risk appetite and adapting procedures and controls to manage risks within that appetite should be the next step.