If the FATF Interpretive Note is adopted, virtual assets and their service providers could fall under the same level of regulatory scrutiny as seen in traditional banking, says ComplyAdvantage.
Back in October 2018, the FATF (Financial Action Task Force) provided a definition of “virtual assets” a.k.a. cryptocurrencies and said they would produce guidance in June 2019 on how to treat these.
Last week, at their February Plenary the group issued a draft “Interpretive Note” to FATF Recommendation 15 which gives a strong indication of what this guidance will look like. If crypto fans and operators were expecting to be able to continue in their unregulated utopia, they will be sorely disappointed.
The Interpretive Note brings in 8 new provisions which impact both competent authorities and obliged entities. The provisions are summarised below:
For countries & competent authorities:
- Countries must identify the risks associated with VASPs (virtual assets and their service providers), applying a risk based approach to combating identified AML/CFT risks.
Monitoring & supervision:
- Countries must ensure that VASPs are adequately regulated and supervised in line with the current 40 FATF recommendations, meaning that they must be supervised by a competent authority.
- Supervisors and monitors should have the power to impose sanctions if they find a VASP breaching compliance standards – sanctions must also be available to punish directors and the senior management of said VASP.
- FATF urges all competent authorities to have provisions in place for the rapid exchange of information between authorities on VASPs. They make the interesting point that this should be done regardless of the “status and nomenclature” of VASPs in different jurisdictions.
For obliged entities:
- VASPs must register or be licensed by competent authorities in the country in which they were created, or if a person, in the country in which they operate. Countries may also require service providers who operate within them, but were not created there, to also register in their jurisdiction.
- Competent authorities will have to somehow ensure that “criminals and their associates” do not have a vested interest in a VASP.
- Once licensed, VASPs will be subject to monitoring by competent authorities, so they must see to it that they are “ensuring compliance with national AML/CFT requirements”.
- What this means in practice is that they must comply with FATF Recommendations 10-22 when occasional transactions are above EUR/USD 1000.
- This broadly translates as having a process in place for Customer Due Diligence (CDD), PEP screening, identifying high risk third countries and other high risk sectors, reporting suspicious activity and preventing tipping off.
- In the case of transactions over EUR/USD 1000, VASPs must also obtain and hold accurate information on the sender and beneficiary of a transaction. VASPs will need to be able to send this information to the receiving VASP – effectively removing anonymity from virtual assets. This requirement is based on the current conditions of FATF Recommendation 16 for wire transfers.
What does this mean for virtual assets and their service providers?
FATF has gone pretty much as far as it can to manage AML/CFT risk in the cryptosphere. In doing so they will remove the factors that make virtual assets notable: anonymity and lack of supervision.
The Note may borrow from established crypto regimes, such as those in Japan and Australia, but the treatment of transactions as if they were wire transfers is a new perspective which is likely to be highly controversial. Deriving sender and beneficiary information in a traditionally anonymous world will prove challenging and could be a serious barrier to the success of this guidance.
Fortunately, FATF will consult on this point in May, so VASPs will have the opportunity to challenge this stipulation. If this Interpretive Note is adopted and transposed into domestic legislation VASPs will likely find themselves as regulated as a traditional bank.
This article was first published by ComplyAdvantage, a team of financial crime compliance experts, engineers and data scientists working to build data and technology solutions to stop money laundering and terrorist financing.