Non-Hyped Look at FATF Announcement of June 2019 with Respect to Crypto Compliance

Published by Yana on

First important point – FATF guidelines are NOT for companies or businesses or private sector, they target national authorities of FATF member countries. Which means, until FATF recommendations are implemented into the national law, they are not binding.

So – What Needs to Change in the National Legislation?

  • VASPs (Virtual Asset Service Providers) must be registered or licensed, and a membership in a self-regulated organization will not be enough.
  • VASPs must have AML program in place.
  • VASPS that facilitate transfers of funds must include information about the sender and recipient and this information must “accompany the transfer” (can be on-chain or off-chain)
  • Private wallets and P2P services are not subject to this regulation, if they don’t facilitate settlements or touch funds.

What FATF did NOT Say:

FATF never said that crypto should be considered a risky segment. Each country can apply their own criteria of what is risky or not.

What is Risky based on FATF criteria?

  • Higher ML/TF risks exist when anonymity enhanced transactions are used and VASPs are unable to identify the ultimate beneficiary of the transactions and therefore the associated funds cannot be traced.
  • Capacity to make payments or transfer funds and its cross-border nature
  • Inconsistency or different treatment in different jurisdictions
  • VASP operating from a jurisdiction with weak AML/CTF controls and providing services to customers outside of this jurisdiction
  • When there is a lack of clarity as to which legal/natural person has AML obligations in which jurisdiction and for what reason.

Curious note: Even in jurisdictions where VASPs are banned, the authority must have measures in place to ensure action in case of non-compliance with the prohibition, even if some of the sections of the interpretative note to recommendation 15 would not apply.

WHO IS VASP?  - is a business conducting one or more of the following activities or operations for or on behalf of another natural or legal person:

  • Exchange between virtual assets and fiat currencies;
  • Exchange between one or more forms of virtual assets;
  • Transfer of virtual assets; and
  • Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets;
  • Participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.

Exchanges and custodians fall within this definition, but so do bitcoin ATMs, VA escrow accounts (even those with smart contracts), brokerage services, order-book exchanges for buyers and sellers, VA portfolio management/purchase services, including those with algorithm-based trading.

Decentralized applications, their owners/operators may fall within the scope of the definition (if they touch the funds or execute settlements)

However, for example simple forums where bids can be posted, but all transactions take place elsewhere and are not automatic, are not considered VASPs (unless the platform itself facilitates the exchange). Loyalty programs (miles, credit cards rewards) are also not concerned, because they are non-transferable and non-fungible. Software and platform developers do not constitute VASPs per se, however, as soon as they engage with customers funds or transactions, they are subject to FATF recommendations. Similarly, ancillary services (hardware wallets, non-custodial wallets) are not considered VASPs.

What about information exchange?

The definition of a wire transfer (transaction carried out on behalf of an originator, through a financial institution, electronically, with the aim of making funds available to a beneficiary person, at a beneficiary financial institution) now extend to VASPs.

It means that VASPs must  collect at least the following information:

  • Originator’s name
  • Originator’s account number
  • Originator’s physical address/national id number/customer identification wallet date/place of birth
  • Beneficiary’s name (does not have to be exact)
  • Beneficiary account number, where available and used in the transaction

This information must be transmitted immediately and securely, protecting the integrity and the availability of the information, between the VASPs facilitating the transfer, if the transaction exceeds 1000 USD. This info should be available to authorities upon request. Customer screening is also necessary to comply with freezing orders and sanctions lists.

If the transfer is a transaction with self (e.g. top-up or withdrawal) or with a non-regulated institution, regulated VASPs must not transfer any information, but still have to have it with respect to their own customer.


Curious how FATF recommendations may fit into your overall KYC workflow?

Download this FREE Digital KYC Onboarding Guide and find out!

Categories: AMLCryptoLicensing

>