• GL
Choose your location?
  • Global Global
  • Australia
  • France
  • Germany
  • Ireland
  • Italy
  • Poland
  • Qatar
  • Spain
  • UAE
  • UK

DWF Spotlight: FATF recommends regulating and monitoring Virtual Asset Service Providers

22 August 2019
Hands on keyboard with lock symbols
The Financial Action Task Force (FATF) just adopted its Interpretive Note to Recommendation 15, recommending member jurisdictions to regulate and monitor virtual asset service providers for anti-money laundering and counter-terrorist financing purposes.
Although the importance of such compliance regulation is widely recognized, the Interpretive Note raises many concerns in the industry. Notably, the introduction of the so-called “travel rule” for transactions in virtual assets, requiring crypto exchanges to collect and share information about users initiating and receiving funds through their services, is feared to create new barriers.  


Financial Action Task Force

The FATF is an inter-governmental body tasked with setting standards and promoting effective implementation of legal, regulatory and operational measures for combating money laundering (AML) and terrorist financing (CTF). The FATF’s Recommendations on AML/CTF (Recommendations), while not legally binding to member jurisdictions, are implemented in many countries, notably the G20. In fact, the FATF announced a review of the implementation progress in member jurisdictions for June 2020. Due to their reach, the standards are quite powerful and a lack of implementation ultimately results in ostracizing of such economies from the international financial system. 


Background to Recommendation 15

Recommendation 15 on new technologies as introduced in October 2018 clarifies how FATF standards apply to activities or operations involving virtual assets. To that end, it specifically asks member jurisdictions to ensure that virtual asset service providers are regulated for AML/CFT purposes, licensed or registered and subject to effective systems for monitoring and supervision. 

In the Glossary, the FATF chose a broad definition of virtual assets that is not limited to distributed ledger technology. Virtual assets are defined as digital representations of value that can be digitally traded, or transferred, and can be used for payment or investment purposes. Business activities relating to such virtual assets and conducted by, inter alia, exchanges, custodians, hosted wallet providers and financial service providers fall under what the FATF defines as virtual asset service providers (VASPs). 


Interpretive Note to Recommendation 15

On June 21, 2019, the FATF adopted its Interpretive Note to Recommendation 15 (Note) that clarifies how member jurisdictions are to apply the new standards set in Recommendation 15. The Note makes a point to underscore that Recommendations generally apply to digital representations of value, either under the definition of virtual assets or under traditional instruments such as digital representations of fiat currencies, securities or other financial assets. To give further guidance on how FATF standards apply to virtual assets, the FATF also published an updated Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Provider on 21 June 2019.  

Most significantly, the suggested preventive measures introduce a version of the travel rule. The Note extends this standard for wire transfers – that is known as the travel rule under U.S. law – to transfers of virtual assets. The standard asks VASPs to obtain, hold and submit to the beneficiary VASP information on the originating as well as beneficiary wallet account that are parties to a given transfer. Obtained information does however not have to be attached to transfers. Moreover, VASPs must implement measures to monitor, freeze and prohibit transactions. 

The Note also introduces a EUR/USD 1,000 per transaction threshold for the application of customer due diligence (CDD). Unfortunately, the FATF does not clarify acts of circumvention, i.e., within what timeframe transactions under the threshold will need to be accumulated to trigger CDD. It is up to member jurisdiction to provide further clarification. 

The FATF recommends a licensing or registration requirement for VASPs, at a minimum in the jurisdiction where they are incorporated, but also suggests licensing or registration in countries where they offer products and/or services. VASPs will moreover be subject to supervision or monitoring for AML/CFT purposes. Supervision has to be exercised by a competent authority with sufficient powers, including enacting sanctions and suspension of license. Further rules mimicing those for financial intermediaries are for the vetting of ultimate beneficial owners, managers of VASPs and the call for supervisors of VASPs to cooperate internationally by exchanging information promptly and constructively.



Governments show firm resolve in applying AML/CTF standards to the crypto industry. In their Communique from early June, the G20 finance ministers reaffirmed their commitment to the FATF standards. Simultaneously, the EU sees implementation effort of the 5th Anti-Money Laundering Directive, addressing the AML/CTF risks associated with virtual currencies. Member States such as Germany and the UK aim to exceed the terms of the Directive, probably already with a view to implementing the FATF’s new standards. 

At the same time, regulators seek industry buy-in. The FATF announced a Contact Group to engage with the industry and monitor industry-led efforts to enhance compliance with FATF standards regarding virtual assets. Moreover, the FATF advises member jurisdictions to “engage with their private sector on potential applications of available technology or possible solutions for compliance” with the travel rule. These formats might prove to be an effective tool for the industry to address remaining concerns and support effective monitoring. 

It seems clear that the centralized ventures within the still very young crypto industry will struggle to implement the FATF standards that even experienced international financial institutions have difficulties to adopt. In order to prevent suffocating the industry, countries should consider implementing grandfathering rules and apply a moderate approach to licensing, registration and monitoring while this industry grows up. Otherwise, only traditional financial intermediaries that already hold licenses will remain as VASPs.

One of the crypto industry’s concerns is possible side effects of the travel rule on data privacy. Generally, data protection and AML/CFT goals create an inherent conflict of interest, which is not easily resolved. The current system of using licensed financial service providers for AML/CTF monitoring force their customers to waive their privacy rights vis-à-vis these private companies. In their public statement issued on 21 June 2019 along with the mentioned publications, the FATF recognizes the potential conflict between these two equally important topics. Member jurisdictions are asked to coordinate with relevant authorities to ensure the compatibility of AML/CFT requirements with data protection and privacy rules. 

The crypto industry itself is quite privacy conscious though and a possible outcome of the struggle between AML/CFT and privacy could be further decentralization that forces member jurisdictions to take ownership of compliance and monitoring measures.

The reason states usually compel intermediaries to implement AML/CTF measures is to make use of their direct access to critical information that allows for effective monitoring of financial transactions. In a truly open and decentralized system, no such centralized third party monitor would exist for official bodies to rely on.

Notably, peer-to-peer trading between non-custodial wallets, which host a considerable amount of virtual assets at this point, will continue to be unaffected by AML/CTF compliance as non-custodial wallets do not require a VASP or other intermediary that will be subject to AML/CTF obligations. Distribute ledger technology generally strives for a system without intermediaries, with truly decentralized services. The current standards from AML/CTF were however developed for a centralistic financial industry that sends funds through intermediaries. Extending those standards to centralized service providers in the blockchain/DLT environment might trigger an unintended surge of further decentralized applications in an effort to provide for alternatives. 

A daring prediction is that states will finally realize the need to take up the task of monitoring and tracking AML/CTF risks themselves, hiring analytics companies to assist in this task. It seems like the U.S. Securities and Exchange Commission (SEC) already embarked on this path. In July, the SEC announced that it will host nodes of a number of blockchains for direct access to information “to support its efforts to monitor risk, improve compliance, and inform Commission policy with respect to digital assets”. Although it is not entirely clear yet what that will look like, on-chain surveillance systems to monitor, amongst others, for AML/CTF purposes could in the end ease the burden on VASPs, security token issuers and other business models to implement AML/CTF standards themselves. It would also mean that information gathering shifts from regulated financial institutions to governmental bodies using analytics firms to facilitate risk monitoring duties.  

In sum, it seems to be high time to rethink current AML/CTF standards and to really take into consideration the specifics and characteristics of this new technology. 

For the time being, it is more likely though – and supported by the current FATF efforts – that states will pursue the path of outsourcing the monitoring of money laundering and terrorist financing to regulated financial service providers. Users will continue to be forced to disclose personal data vis-à-vis those private companies, which will utilize this data beyond AML/CFT purposes for their companies’ business goals. Time will reveal whether this attempt is actually successful or if it will only trigger a race to even more decentralized applications. 


Further Reading