FATF Issues Updated Virtual Asset Guidance – Technology

On October 28, the Financial Action Task Force¹
(“FATF”) issued its Updated Guidance for a Risk-Based
Approach to Virtual Assets and Virtual Asset Service Providers,
updating its 2019 guidance (the
“Guidance”). This updated guidance outlines the
FATF’s view on the application of the FATF Recommendations to
virtual assets, including providing further clarification on the
definitions of “virtual assets” and “virtual asset
service providers” and addressing current developments such as
stablecoins, non-fungible tokens (“NFTs”), initial coin
offerings (“ICOs”), decentralized finance
(“DeFi”) and decentralized applications
(“DApps”).

Definition of Virtual Assets (VA)

The Guidance reiterates the definition of “virtual
assets” as a “digital representation of value that can be
digitally traded or transferred and can be used for payment or
investment purpose” and also notes that “[v]irtual assets
do not include digital representations of fiat currencies,
securities, and other financial assets that are already covered
elsewhere in the FATF Recommendations”. In addition, the
Guidance states that “[f]inancial assets should not be deemed
uncovered by the FATF Recommendations because of the format in
which they are offered and no financial asset should be interpreted
as falling entirely outside the FATF Standards. Finally, the
Guidance reiterates that the definition should be interpreted
broadly.

Definition of Virtual Asset Service Provider (VASP)

The Guidance reiterates that “any natural or legal person
who is not covered elsewhere under the [FATF] Recommendations, and
as a business conducts one or more of the following activities or
operations for or on behalf of another natural or legal
person”: (each of the following referred to as a
“limb” of the VASP definition in the Guidance):

1. Exchange between virtual assets and fiat currencies;




2. Exchange between one or more forms of virtual assets;




3. Transfer of virtual assets;




4. Safekeeping and/or administration of virtual assets or
   instruments enabling control over virtual assets;




5. Participation in and provision of financial services related to
   an issuer’s offer and/or sale of a virtual asset.

The Guidance provides further insight into this definition,
noting in particular that “conducts” “includes the
provision and/or active facilitation of a service, which refers to
active involvement in the provision of activities covered” and
that “as a business” means “for commercial
reasons” and “on at least a sufficiently regular basis,
rather than infrequently.”

The Guidance also provides detailed description and examples of
entities that may be captured as VASPs, including in the stablecoin
and DeFi context (discussed below). The Guidance also notes that
other common examples of entities that may be captured as VASPs
include:

1. “VA escrow services, including services involving smart
   contract technology, that VA buyers use to send, receive or
   transfer fiat currency in exchange for VAs, when the entity
   providing the service has custody over the funds;




2. brokerage services that facilitate the issuance and trading of
   VAs on behalf of a natural or legal person’s users;




3. order-book exchange services, which bring together orders for
   buyers and sellers, typically by enabling users to find
   counterparties, discover prices, and trade, potentially through the
   use of a matching engine that matches the buy and sell orders from
   users. However, a platform which only allows buyers and sellers of
   VAs to find each other and does not undertake any of the services
   in the definition of a VASP would not be a VASP; and




4. advanced trading services, which may allow users to access more
   sophisticated trading techniques, such as trading on margin or
   algorithm- based trading.”

On the other hand, the Guidance notes that “[f]irms which
merely provide ancillary infrastructure to allow another entity to
offer this service, such as cloud data storage providers or
integrity service providers responsible for verifying the accuracy
of signatures, will not normally satisfy this definition” nor
would providers of “ancillary services like hardware wallet
manufacturers or providers of unhosted wallets”, although each
analysis should be fact-based.

Central Bank Digital Currencies

The Guidance states that it does not apply to central bank
digital currencies (“CBDCs”) and that these are not
virtual assets “as they are digital representation of fiat
currencies”. Rather, the FATF considers CBDCs to be fiat
currencies and the FATF Recommendations to apply to them on such
basis, similar to other forms of fiat currencies.

Stablecoins

The Guidance notes that a stablecoin will likely be either a
security or a virtual asset and therefore captured by the FATF
Recommendations. In addition, the Guidance outlines that a number
of entities involved in a stablecoin arrangement, ranging from the
central developer/ governance body, to parties that “drive the
development and launch of such an arrangement before its
release”, to exchanges or custodial wallet services, may be
captured as a VASP and that a careful review of the actual
arrangement and the roles of each party would be required.

NFTs

The Guidance states the following in respect of NFTs:

Accordingly, the determination of whether a NFT is a virtual
asset will be very fact-based and will depend on the intended use
of the asset rather than the nature of the asset itself. This could
lead to situations where the same asset may be a virtual asset in
some contexts (where it is intended to be used for payment or
investment purposes, for example in the case of a collectible that
is expected to appreciate in value) and not a virtual asset in
others (for example in the case of a collectible acquired for
sentimental reasons).

ICOs

The Guidance notes that various parties involved in an ICO may
be a VASP . For example, a token issuer could be a VASP “if it
conducts other activities that fall under any limb of the VASP
definition (e.g. if they are exchanging the VA for fiat currency or
other VAs (limbs (i) and (ii)) or if they are providing liquidity
in the VA by acting as a market-maker following the ICO (limb (v)).
Businesses providing related financial services to the person’s
sale of the VA (e.g., by acting as a broker or dealer for the
person), would then be a VASP under limb (v) of the VASP
definition, regardless of whether they are formally affiliated with
the person.” 

The Guidance also highlights that such activity could be subject
to securities laws and that “whether the issuer of the digital
asset will be considered a VASP or an issuer of securities will
depend on the unique facts and circumstances of the ICO and the
laws of the country”. In addition, and relevant in Canada
where a virtual asset trading platform may for example be both a
securities dealer and a VASP, “[a] person may be engaged in
activity that may subject them to more than one type of regulatory
framework, and the digital assets used by such a person may
similarly be subject to more than one type of regulatory
framework.”

DeFi and DApps

The Guidance notes that a “DeFi application (i.e. the
software program) is not a VASP under the FATF standards, as the
[s]tandards do not apply to underlying software or technology”
but “creators, owners and operators or some other persons who
maintain control or sufficient influence in the DeFi arrangements,
even if those arrangements seem decentralized, may fall under the
FATF definition of a VASP where they are providing or actively
facilitating VASP services. This is the case, even if other parties
play a role in the service or portions of the process are
automated.” The Guidance therefore puts forward the concept of
an “owner/operator” of a DeFi arrangement, noting for
example that such owner/operator may exist where “there may be
control or sufficient influence over assets or over aspects of the
service’s protocol, and the existence of an ongoing business
relationship between themselves and users, even if this is
exercised through a smart contract or in some cases voting
protocols.”

Therefore, the Guidance distinguishes between automation and
decentralization and puts forward a broad interpretation of VASPs,
which could capture software developers or others who maintain some
control over DeFi arrangements.

The Guidance also notes that “[m]arketing terms or
self-identification as a DeFi is not determinative, nor is the
specific technology involved in determining if its owner or
operator is a VASP”.

Multisig Wallet Transactions

The Guidance states that “multi-signature processes are not
inherently exempt (see limb (iv) [above]), where a VASP undertakes
the activity as a business on behalf of another natural or legal
person.” In particular, it states that “[t]he existence
of a multi-signature model or models in which multiple parties must
use keys for a transaction to happen does not mean a particular
entity does not maintain control, depending on the extent of the
influence it may have over the VAs.”

Correspondent Relationships (White Label VASP Services and
Nested VASPs)

The Guidance notes where a VASP provides VASP services to
another VASP or financial institution, such relationship would be
characterized as a correspondent relationship and “could also
include, for example, one VASP white-labelling its platform
functionality to another VASP and also providing nested services
(providing accounts to smaller VASPs for access to liquidity and
trading pairs)”. The Guidance notes the application of
Recommendation 13 (Correspondent banking and other similar
relationships) to such relationships.

Unhosted Wallets – Peer-to-Peer Transactions and Application of
Travel Rule

The Guidance defines peer-to-peer’ (P2P) transactions as
“VA transfers conducted without the use or involvement of a
VASP or other obliged entity (e.g., VA transfers between two
unhosted wallets whose users are acting on their own behalf”
and notes the higher money laundering/ terrorist financing risk
associated with such transactions, as they do not involve a
regulated entity. The FATF recommends that countries take measures
to understand the risks associated with P2P transactions through
industry outreach, training of personnel and encouraging the
development of methodologies and tools, and then implement
appropriate options to mitigate the risks, such as instituting
controls (such as reporting requirements) or other requirements,
providing for supervision of VASPs and other entities with a focus
on unhosted wallet transactions, issuing guidance and/or placing
restrictions on such transactions.

The Guidance also notes that regulated entities must still
comply with the requirements of the travel rule in the case of
transactions involving unhosted wallets (where a VASP is either the
originator or beneficiary as applicable), by obtaining “the
required originator and beneficiary information from their
customer”. 

Other Travel Rule Updates

Transaction Fees Exempt

The Guidance notes that transaction fees (i.e. “the amounts
of VA that may be collected by the miner who includes the
transaction in a block. It could be called by various names
depending on the type of VA, such as gas or block rewards”)
are not within scope of the travel rule. Therefore, VASPs do not
need to identify the recipient of the transaction fee, because the
recipient is not the originator or recipient of the VA transfer
itself.” 

In addition, the Guidance notes that “[t]here may also be
scenarios where technical reasons means a VASP must send a greater
amount of a VA than the actual amount of VA to be transferred, with
the difference automatically refunded to the ordering VASP. In such
a scenario, the travel rule does not apply to the recipient VASP in
respect of the refund, as the refund forms part of the transfer by
the ordering VASP.”

Counterparty Due Diligence Requirement

The Guidance also states that a VASP should conduct counterparty
due diligence before transmitting the required travel rule
information to its counterparty but notes the challenges with
complying with such requirements and proposes a multi-step
counterparty VASP due diligence process. While this process does
not need to be undertaken for every transfer, the due diligence
information should be periodically refreshed and updated.

Sunrise Issue Approach

The “sunrise issue” refers to the fact that certain
countries will require compliance with the travel rule before other
countries. The Guidance recommends that countries adopt a
risk-based approach in respect of compliance by a VASP with travel
rule requirements and notes that “[r]egardless of the lack of
regulation in the beneficiary jurisdiction, originating entities
can require travel rule compliance from beneficiaries by contract
or business practice.”

Information Sharing Among VASP Supervisors

The Guidance notes the FATF Recommendations currently encourage
co-operation among supervisors but that “[g]iven the
pseudonymous, fast-paced, cross-border nature of VAs, international
co-operation is all the more critical between VASP
supervisors” . Accordingly, the Guidance proposes certain
non-binding Principles of Information-Sharing and Co-operation
between VASP Supervisors.

Canadian Implications

While the Guidance is not binding, as a FATF member country, we
can expect Canadian policy makers and regulators to carefully
review the Guidance and determine how, and to what extent, to best
apply the recommendations in a Canadian context, through additional
regulatory guidance and/or amendments to the legislation, as
applicable.

Footnote

1. The FATF is an intergovernmental policy-making body
that was established in 1989. The FATF sets standards and promotes
the implementation of legal, regulatory, and operational measures
to combat threats to the integrity of the international financial
system, including money laundering and financing
terrorism.

To view the original article click here

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.