Financial Action Task Force gives new guidance on risk assessment and information sharing
In October the Financial Action Task Force -- the global money laundering and terrorist financing watchdog -- updated its guidance for organizations doing business in the crypto space. The new guidance comes as more and more money is being transacted in this sector, and governments look to regulate it more.
“We don't have enough powers to deal with the risks associated with these products,” says Rick McDonell, former FATF executive secretary and current executive director of the Association of Certified Anti-Money Laundering Specialists. He notes the United States’s recent President’s Working Group on Financial Markets report and recommendations for stablecoins, which recommends new legislation be developed in the U.S.
“What governments are struggling to do now is to ensure that legislation properly covers all of those because it doesn't at the moment in Canada or the United States,” McDonell says, adding that all of the major economies are looking at this, and Singapore and Hong Kong have fresh legislation in place for all these issues. “Work is rapidly being done, because of the recognition” of risk in the previously unregulated sector.
“There’s a struggle to make sure that regulation happens, and is enforced.”
The FATF’s update of its 2019 Guidance for a Risk-Based Approach for Virtual Assets and Virtual Asset Service Providers (VASPs) is part of the FATF’s ongoing monitoring of the virtual assets and VASP sector. The FATF standards require countries to assess and mitigate their risks associated with virtual asset financial activities and providers, and to license or register providers and subject them to supervision or monitoring by competent national authorities.
VASPs include providers of cryptocurrencies, stablecoins and non-fungible tokens (NFTs). They are subject to the same relevant FATF measures that apply to financial institutions. The 2021 Guidance includes updates on six key areas:
- clarification of the definitions of virtual assets and VASPs,
- guidance on how the FATF Standards apply to stablecoins,
- additional guidance on the risks and the tools available to countries to address the money laundering and terrorist financing risks for peer-to-peer transactions,
- updated guidance on the licensing and registration of VASPs,
- additional guidance for the public and private sectors on the implementation of the “travel rule,” and
- principles of information-sharing and co-operation amongst VASP Supervisors.
The updated guidelines don’t make entirely clear who is covered as a VASP, says McDonell. However, they provide clarification on the application of FATF standards to stablecoins and non-fungible tokens.
“The guidance says that the stablecoins pose elevated money-laundering risks, and they have greater potential for mass adoption compared to virtual assets,” he says. “So the obligation to assess risks prior to the launch of a virtual asset applies equally to stablecoins. In relation to non-fungible tokens, the nature and function of the NFT has to be considered, rather than the terminology.”
Each of the VASPs that are doing business in Canada or in in any other country that's regulating them must ensure that it does a risk assessment, “in the same spirit and in the same basic way, as traditional financial institutions are required to do a risk assessment of their clients and their products and their transactions, etc.”
The new guidance also refines the text on the “travel rule” by including a definition of transaction fees and how the rule applies to certain transactions where there are automatic refunds.
When traditional financial institutions send funds by wire they have to know who the originator and beneficiary is. That hasn’t been the case for VASPs, but now that’s required, McDonell says. “That requires VASPs to transmit originator and beneficiary information to a counterparty VAST conducting a transfer for the identification requirements, and to undertake due diligence on those counterparties prior to submitting the required information to the authorities.”
Licensing and registration of assets is required by the FATF, with “an expectation at a minimum to register a license the VASPs created in their jurisdiction,” he says, and that VASPS “be registered before serving users in their jurisdiction.”
The principles of information-sharing and co-operation amongst VASP supervisors “introduces the possibility that a VASP will not share customer data if they reasonably believe the counterparty VASP won’t handle it securely,” he adds.
The guidance continues to indicate that VASPs should be aware of risks posed by transfers by un-hosted wallets, which McDonell calls a significant issue related to identification or anonymity, “which is not permitted. That information must be available to authorities when needed.”
There is also an information-sharing exhortation in the new guidance, indicating that “each country should designate at least one competent authority as the supervisor for VASPs.”
Overall, says McDonell, it’s “extremely important [to] ensure you know what you'd have to do to conduct a risk assessment -- because there are not any regulatory consequences, but there could be legal consequences of doing it badly, or ignoring it all together, which may lead into even criminal conduct.”
Second, “they have to get the travel rule right.”