The updated guidance sets out new requirements, amends existing ones and clarifies the 2019 guidance, which this update will replace.

The revised document updates six main areas to:

(1) clarify the definitions of VA and VASP to make clear these definitions are expansive and there should not be a case where a relevant financial asset is not covered by the FATF Standards (either as a VA or as a traditional financial asset);

(2) provide guidance on how the FATF Standards apply to stablecoins;

(3) provide additional guidance on the risks and potential risk mitigants for peer-to-peer transactions;

(4) provide updated guidance on the licensing and registration of VASPs;

(5) provide additional guidance for the public and private sectors on the implementation of the ‘travel rule’; and

(6) include Principles of information-sharing and co-operation among VASP supervisors. The guidance has also been updated to reflect the passage of time and the publication of other relevant FATF reports.

The revision sets out functions and assets that are within scope of the guidance, for example  stablecoins and virtual assets issuers; and those that fall outside, such as cloud service providers. It also provides options to ban or restrict the use of unhosted wallet software providers.

The update also expands the travel rule requirements, where VASPs have to submit information to counterpart VASPs with regard to transaction originators and beneficiaries.

These changes to the pre-existing guidance aim to maintain a level playing field for VASPs, based on the financial services they provide in line with existing standards applicable to financial institutions and other AML/CFT-obliged entities, as well as minimisng the opportunity for regulatory arbitrage between sectors and countries.

The consultation closes on 20 April 2021 and the updated guidance is likey to be adopted at the June FATF plenary session.

The FATF said that the changes are as follows:

"Revision of R. 1 and INR. 1 to require countries, financial institutions and DNFBPs to identify and assess the risks of potential breaches, non-implementation or evasion of the targeted financial sanctions related to proliferation financing, as contained in FATF Recommendation 7, and to take action to mitigate these risks."

"Minor consequential amendment in R.2 to insert reference to counter proliferation financing in the context of national co-operation and co-ordination. Insertion of a new interpretive note that sets out the inter-agency framework to promote domestic co-operation, co-ordination and information exchange"

The FATF said that the indicators are "specific to the inherent characteristics and vulnerabilities" linked to virtual assets, but they are not exhaustive and do not apply in all situations either. They are often just one of many elements that contribute to a "bigger overall picture" of potential money laundering or terrorism financing risks. As such, they should not be viewed in isolation.

The report should help virtual asset service providers, financial institutions, and designated non-financial businesses and professions, and other reporting entities detect and report suspicious transactions.

It will also provide useful information for financial intelligence units, law enforcement agencies, prosecutors and regulators to analyse suspicious transaction reports or monitor compliance with anti-money laundering and counter-terrorist financing (AML/CTF) controls.

The report highlights the most important indicators that could suggest criminal behaviour.

The key red flag indicators relate to:

• transactions; 
• transaction patterns; 
• anonymity; 
• senders or recipients; 
• source of funds or wealth; and 
• geographical risks.

The report is based on more than 100 case studies that were collected by the FATF Global Network between 2017-20, the June 2019 Confidential FATF Report on Financial Investigations Involving Virtual Assets and the June 2014 FATF Report Virtual Currencies Key Definitions and Potential AML/CFT Risks, and information on the misuse of virtual assets in the public domain.

The FATF also issued three other reports on:

• Virtual Assets Red Flag Indicators for Financial & Non-Financial Sectors. 
• Virtual Assets Red Flag Indicators for Virtual Asset Service Providers. 
• Virtual Assets Red Flag Indicators for the Public Sector.

The report notes that both governments and industry have made some progress in implementing the FATF standards covering VASPs, but there is much more to be done. Companies and governments have also made progress towards compliance with the “Travel Rule”. FATF plans to issue updated guidance, continue to work with the private sector, continue to promote international cooperation, and expects to issue another report reflecting further progress in 12 months.

VASPs should expect:

1. increased government regulations to conform to the FATF standards over the next year;
2. emphasis from both regulators and counterparties to comply with the Travel Rule, no later than June 2021; and
3. eventually, enforcement activity.

The FATF issued a report to the G20 finance ministers and central bank governors to review of the implementation of its revised standards on virtual assets and VASPs. This report was anticipated as a follow-up from last year’s review to determine the status of implementation of the FATF recommendations, to determine whether any revisions were required, and to announce anticipated next steps.

The report is titled 12-Month Review of the Revised FATF Standards on Virtual Assets and Virtual Asset Service Providers.

Virtual assets and VASPs

The report sets out how money laundering and terrorism financing risks and the virtual asset market have changed since June 2019; jurisdictions’ progress in implementing the revised standards; the private sector’s progress in implementing the revised standards, including the development of technical solutions for the implementation of the Travel Rule; issues identified with the revised FATF standards and guidance; and next steps regarding virtual assets.

State of the Jurisdictions

That report finds that both the public and private sectors have made certain progress in implementing the revised FATF standards, which were issued in June 2019.  The report notes that although regulatory oversight of VASPs is “generally nascent, there is evidence of progress.” According to the report, many jurisdictions have taken steps towards codifying the standards into their national legal/regulatory regimes. Of those jurisdictions responding to the FATF survey, 35 out of 54 reporting jurisdictions said they have now implemented the revised standards, with 32 countries regulating VASPs and three prohibiting their operation. Nineteen reporting jurisdictions had not yet implemented the standards.

But importantly, these survey responses are self-assessments, not actual FATF evaluations. Moreover, because the survey was voluntary across FATF’s membership (as well as FATF-Style Regional Bodies), the Report acknowledges that potentially many more than 19 jurisdictions had no current regime (or less-than-expected rules) in place.

The Travel Rule

One area that has received significant attention in this space involves the Travel Rule, which requires covered financial institutions (including VASPs) to obtain, maintain, and transfer information regarding the originators and beneficiaries of certain transactions. This Rule, which is already in place in certain jurisdictions (such as the United States), appears in Recommendation 16 of the 2019 FATF Report.

The 2020 Report notes that FATF has been monitoring the progress in developing solutions to, and compliance with, the Travel Rule, and that implementation of the Travel Rule has been less than for other AML/CFT rules. The Report notes an international industry-wide initiative, which includes a “common universal language for communication of the required originator and beneficiary information between VASPs.”

But it also notes that “[i]n line with decentralisation ethos that underpins virtual assets, there appears to be a general desire for multiple potential solutions, rather than one centralised travel rule solution.” Despite potential issues regarding interoperability between multiple standards, and concerns with how VASPs should deal with other VASPs which are located in jurisdictions which have not yet implemented the Travel Rule (known as the “sunrise issue”), the FATF report does not dictate how solutions should develop.

Importantly, despite acknowledging these issues, the FATF Report “calls upon the VASP sector to redouble its efforts towards the swift development of holistic technological solutions encompassing all aspects of the travel rule.” Curiously, the Report notes that because Recommendation 16 was delayed, this “adds to the importance of the quick development of technology solutions.”

And as described below, the FATF concluded that it would not – at this time – further revise its AML/CFT standards on virtual assets and VASPs, but notes that when it conducts its next review by June 2021, jurisdictions will have had time to implement the rules (including the Travel Rule) into their national law, and “the VASP sector will have had time to implement travel rule solutions globally.”

Next steps

While the Report acknowledges the progress that has been made on overall AML/CFT implementation, the FATF is sanguine about the additional work to be done. Although it considered whether any of the Recommendations and Standard needed to be revised, the Report concludes that they would not, and that updated guidance should be used at first, and that future revisions to the standards would be considered if the FATF’s further review “identifies issues which updated Guidance cannot resolve.”

To conclude, the FATF said that, in the coming year, it will: 

• continue its enhanced monitoring of virtual assets and VASPs, resulting in another 12-month review, to be published in one year (i.e., by June 2021);
• release updated guidance on virtual assets and VASPs, including stablecoins and the Travel Rule;
• continue to promote the understanding of ML/TF risks involved in transactions using virtual assets with public advisories, including red flag reports and case studies;
• continue and enhance its engagement with the private sector through the FATF’s Virtual Assets Contact Group; and
• continue its program of work to enhance international cooperation with the regulators of VASPs.

The international anti-money laundering organisation released the outcomes of its plenary, which took place over three days last week in Paris and was attended by over 800 delegates from 205 jurisdictions and international organisations. 

In two documents released after the plenary, the FATF said that, from now on, as part of its mutual evaluations, it will specifically look at how well countries are implementing its global standards to address the money laundering and terrorist financing risks of virtual assets.

Countries that have already gone through their mutual evaluations will need to report back during their follow-up process on what steps they have taken in this area. 

The FATF also singled out stablecoins, listing the money laundering risk attached to them and other emerging assets as one its "major strategic initiatives". 

"Emerging assets such as so-called global 'stablecoins', and their proposed global networks and platforms, could potentially cause a shift in the virtual asset ecosystem and have implications for the money laundering and terrorist financing risks. There are two concerns: mass-market adoption of virtual assets and person-to-person transfers, without the need for a regulated intermediary. Together these changes could have serious consequences for our ability to detect and prevent money laundering and terrorist financing," the FATF said in one of the documents. 

The FATF also said that it will continue to monitor emerging assets, including stablecoins, and will continue to examine their characteristics and risks, and may even clarify how its standards apply to stablecoins and their service providers. 

"The FATF will continue to ensure its standards remain relevant and responsive and it will report to G20 Finance Ministers and Central Bank Governors in 2020 on the risks from global 'stablecoins' and other emerging assets," the FATF said. 

In June, the FATF adopted its previous recommendations on virtual currencies and how countries and "obliged entities" must prevent the misuse of virtual assets for money and terrorist financing. 

Digital identity 

The FATF also identified understanding and leveraging the use of digital identity as another of its strategic initiatives, adding that there has been a significant shift towards digital payments in recent years. 

"The number of transactions are growing at over 12% every year. Customer identification is essential to prevent criminals and terrorists from raising and moving funds. However, in the growing digital world, different customer identification methods exist," the FATF said. 

The FAFT will therefore release draft guidance on the use of digital identity for public consultation. 

This draft guidance analyses the use, reliability and independence of digital identification systems and looks at how digital ID systems could meet the FATF’s customer due diligence requirements. 

It aims to help governments, financial institutions and other relevant entities to apply a risk-based approach to using digital ID systems.

"The FATF supports financial innovation that does not create new safe havens for terrorists and criminals to carry out their transactions. Responsible innovation in the form of reliable digital ID systems contributes to the objectives of preventing its misuse for crime and terrorism, and supporting financial inclusion."

The global anti-money laundering (AML) organisation finalised its interpretative note to Recommendation 15, clarifying how the FATF Standards and measures should apply in respect of virtual assets and virtual asset service providers (VASPs).

The interpretative note was first proposed in February.

Among other things, the note requires countries to:

• Assess and mitigate risks associated with virtual asset activities and service providers, on a risk-based approach.
• License or register service providers and subject them to supervision or monitoring by competent national authorities (notably – and likely in response to some industry calls for self-governance – the note provides that jurisdictions cannot rely on a self-regulatory body to do this).
• Adopt preventive measures to ensure that service providers assess and mitigate their ML/TF risks and implement the AML and combating the financing of terrorism (CFT) preventive measures under the FATF Recommendations, such as customer due diligence, record-keeping, suspicious transaction reporting, and screening all transactions for compliance with targeted financial sanctions. This includes co-ordination with relevant authorities to ensure the compatibility of AML/CFT requirements with data protection and privacy rules and similar provisions.
• Implement penalties and other enforcement measures when service providers do not comply with their AML/CFT obligations.

Recognizing that digital assets can be transferred freely among decentralized systems, the interpretative note also stresses the importance of international co-operation in AML compliance and enforcement efforts, as well as approaches for consistent regulation.

One of the most notable (and controversial) requirements is that countries should ensure that VASPs should "obtain and hold required and accurate originator information and required beneficiary information on virtual asset transfers, submit the above information to the beneficiary VASP or financial institution (if any) immediately and securely, and make it available on request to appropriate authorities".

As explained in guidance issued on the same day as the note, the required information under this "travel rule" should cover the:

• sender's name;
• sender’s account number where such an account is used to process the transaction (e.g., the virtual asset wallet);
• sender’s physical address, or national identity number, or customer identification number (i.e., not a transaction number) that uniquely identifies the sender to the ordering institution, or date and place of birth;
• recipient's name; and
• recipient account number where such an account is used to process the transaction (e.g., the virtual wallet).

As provided in the interpretative note, this information does not have to be included in the virtual asset transfer itself, and can be submitted directly or indirectly.

In a public statement, the FATF said that since the threat of criminal and terrorist misuse of virtual assets is "serious and urgent", it expects all countries to take "prompt action" to implement its Recommendations on virtual assets and service providers, with a 12-month review set for June 2020.

Updated guidance

The FATF also updated its 2015 guidance on the application of a risk-based approach to virtual assets and VASPs.

The guidance, which is itself non-binding and does not overrule the purview of national authorities, is meant to help countries develop regulatory responses to virtual asset activities and VASPs, including by amending national laws, as well as help providers/private sector entities seeking to engage in virtual asset activities in understanding and complying with their AML/CFT obligations.

The guidance details the obligations that apply to VASPs and virtual assets under the FATF Recommendations and also:

• examines how virtual assets activities and VASPs fall within the scope of the FATF Recommendations;
• explains how the FATF Recommendations apply to countries and competent authorities, as well as VASPs and other obliged entities that engage in or provide virtual asset activities, including financial institutions such as banks and securities broker-dealers; and
• gives examples of jurisdictional approaches to regulating, supervising, and enforcing covered virtual asset activities and VASPs (and other obliged entities) for AML/CFT.

The guidance notes that, as with financial institutions, countries should ensure that secrecy laws do not prevent the implementation of the FATF Recommendations to VASPs. This is a recognition that the proliferation of new privacy rules – for instance, those promulgated under the EU GDPR, and similar laws and regulations elsewhere – are sometimes in tension with AML regimes, which depend on the maintenance, transfer, and reporting of certain personal and financial information.

Further, the FATF recommends that countries and obliged entities design customer due diligence (CDD) processes to help VASPs assess the ML/TF risks associated with virtual asset activities, business relationships or occasional transactions above $/€1,000.

This process should include "identifying the customer and, where applicable the customer's beneficial owner and verifying the customer's identity on a risk basis and on the basis of reliable and independent information, data, or documentation to at least the extent required by the applicable legal or regulatory framework".

VASPs should also have effective procedures in place to identify and verify the identity of a customer, report transactions that may present a ML/TF risk, regardless of any threshold exemptions, and "where they have doubts about the veracity or adequacy of previously obtained identification data".

Where the virtual asset activity involves pseudonymous or anonymous transactions, non-face-to-face transactions and/or payments from unknown sources, enhanced due diligence measures may be needed, such as corroborating the identity information received from the customer, tracing their IP address and "searching the internet for corroborating activity information with the customer's transaction profile".

Information collected under the CDD process needs to be kept up to date by conducting ongoing due diligence and records of transactions and any customer due diligence measures should be kept for at least five years "in such a way that individual transactions can be reconstructed and the relevant elements provided swiftly to competent authorities". 

The guidance also explains how to determine in which country(ies) VASPs should be registered or licensed: at a minimum where they were created, or in the jurisdiction where their business is located for natural persons. However, jurisdictions can also choose to require VASPs to be licensed or registered before they can do business there.

National authorities, including those of countries where virtual asset activities are banned, should also take action against players carrying out virtual asset activities without the proper license or registration.

The FATF also stressed the importance of international co-operation between relevant supervisors given the cross-border nature of VASPs’ activities and the potential challenges in associating a particular VASP with a single jurisdiction, and even suggested that countries should consider putting in place interagency task forces to enable policymakers, regulators and law enforcement authorities to collaborate and develop measures to deal with the risks linked to virtual assets.

Although the FATF Recommendations are not legally binding, countries that do not comply with them can be blacklisted or otherwise designated, which will incentivize other countries from doing business with them.

The global ant-money laundering body included virtual assets as part of its major strategic initiatives at its second plenary meeting in Paris in February 2019.

"Recognising the need to adequately mitigate the money laundering and terrorist financing risks associated with virtual asset activities, the FATF is setting out more detailed implementation requirements for effective regulation and supervision/monitoring of virtual asset service providers [VASPs]."

The FATF has therefore been working on a new interpretative note to Recommendation 15, which will be adopted as part of the FATF Standards in June 2019.

Recommendation 15 stipulates that countries and financial institutions should identify and assess the ML/TF risks that may arise in respect of new products or business practices as well the use of new or developing technologies.

It also stipulates that VASPs should be regulated for AML/CFT purposes, and licensed or registered and subject to effective systems for monitoring and ensuring compliance with the relevant measures called for in the FATF Recommendations.

However, paragraph 7(b) of the interpretative note has not yet been finalised and is now subject to consultation.

Paragraph 7(b) reads:

"7. With respect to preventive measures, the requirements set out in Recommendations 10 to 21 apply to VASPs, subject to the following qualifications:

…

(b) R.16 – Countries should ensure that originating VASPs obtain and hold required and accurate originator information and required beneficiary information2 on virtual asset transfers, submit the above information to beneficiary VASPs and counterparts (if any), and make it available on request to appropriate authorities. It is not necessary for this information to be attached directly to virtual asset transfers. Countries should ensure that beneficiary VASPs obtain and hold required originator information and required and accurate beneficiary information on virtual asset transfers, and make it available on request to appropriate authorities. Other requirements of R.16 (including monitoring of the availability of information, and taking freezing action and prohibiting transactions with designated persons and entities) apply on the same basis as set out in R.16."

The FATF invites private sector entities and other experts to comment on the paragraph by 26 April, at FATF.Publicconsultation@fatf-gafi.org or via national authorities through their FATF delegations.

In October 2018, the FAFT had amended Recommendation 15 to clarify how its standards apply to activities or operations involving virtual assets.

At the time, the global anti-money laundering body had said that that there was "an urgent need" for countries to take co-ordinated action to stop virtual currencies being used to finance crime and terrorism.

The FATF Recommendations were issued in 2015 and set out a risk-based approach to virtual currencies as well as requirements for combating money laundering and terrorism financing.

In 2015, the watchdog issued the FATF Recommendations, setting out a risk-based approach to virtual currencies and requirements for combating money laundering and terrorism financing.

Among other things, the risk-based approach requires jurisdictions to identify money laundering and terrorism financing risks, including those linked to new products and practices such as virtual assets, and take steps to mitigate them.

Financial institutions, in particular, should ensure that the risk assessment takes place before launching new products or business practices.

"Given the urgent need for an effective global, risk-based response to the AML/CFT risks associated with virtual asset financial activities, the FATF has adopted changes to the FATF Recommendations and Glossary that clarify how the Recommendations apply in the case of financial activities involving virtual assets," the FATF said.

The changes add new definitions of “virtual assets” and “virtual asset service providers” to the Glossary and also make clear that virtual asset service providers need to be subject to AML/CFT regulations, be licensed or registered as well as monitored to check compliance.

The FATF said:

"All jurisdictions should urgently take legal and practical steps to prevent the misuse of virtual assets. This includes assessing and understanding the risks associated with virtual assets in their jurisdictions, applying risk-based AML/CFT regulations to virtual asset service providers and identifying effective systems to conduct risk-based monitoring or supervision of virtual asset service providers."

The watchdog added that some jurisdictions already regulate virtual currencies according to the 2015 guidance and that these latest clarifications are "largely compatible" with their existing regulatory requirements.

Going forward, the FATF said it will prepare an updated guidance on a risk-based approach to regulating virtual asset service providers, including their supervisions and monitoring as well as guidance for operational and law enforcement authorities on identifying illicit activity involving virtual assets.

“By June, we will issue additional instructions on the standards and how we expect them to be enforced,” FATF President Marshall Billingslea said, as reported by news agency Reuters.

"In light of the rapid development of the range of financial functions served by virtual assets, the FATF will also review the scope of activities and operations covered in the amended Recommendations and Glossary in the next 12 months and consider whether further updates are necessary to ensure the FATF Standards stay relevant," the watchdog added.