FATF Releases Recommendations for Global Cryptocurrency Regulation

Practical Law Legal Update w-021-0133 (Approx. 7 pages)

FATF Releases Recommendations for Global Cryptocurrency Regulation

by Practical Law Finance

Binding Requirements

Virtual Asset (VA) Definition

A VA is defined as a digital representation of value that can be:

digitally traded or transferred; and
used for payment or investment purposes.

VAs do not include:

digital representations of fiat currencies;
securities; and
other financial assets that are already covered elsewhere in the recommendations.

Virtual Asset Service Provider (VASP) Definition

VASPs are defined as businesses or natural or legal persons that conduct one or more of the following activities on behalf of another natural or legal person:

Providing exchange of VAs for fiat currencies.
Providing exchange of one or more forms of VA for one another.
Transfer of VAs.
Safekeeping and/or administration of VAs or instruments enabling control over VAs.
Participation in and provision of financial services related to an issuer's offer and/or sale of a VA.

Recommendation 15

Recommendation 15 requires FATF-member countries to:

Identify and assess the money laundering and terrorist-financing risks related to the development of:
- new products and business practices; and
- new or developing technologies for new and pre-existing products.
Ensure that financial institutions licensed by or operating in their jurisdiction take appropriate measures to manage and mitigate money laundering and terrorist-financing risks before launching new products, business practices, or using new or developing technologies.

Interpretive Note to Recommendation 15:

Among other things, the interpretive note to recommendation 15 states that:

The threshold for VA occasional transactions above which VASPs are required to conduct customer due diligence is USD/EUR $1,000.
Countries should identify, assess, and understand the money laundering and terrorist financing risks emerging from VA activities and the activities or operations of VASPs, applying a risk-based approach to ensure that corresponding prevention and mitigation measures are in place.
At a minimum, VASPs should be required to be licensed or registered in the jurisdiction or jurisdictions where they are created.
If a legal or natural person is already licensed or registered as a financial institution within a country, and is permitted to perform VASP activities subject to the full range of applicable obligations under the recommendations, separate licensing or registration systems for that person are not necessary.
Countries should implement sanctions for VASPs that fail to comply with anti-money laundering (AML) requirements and requirements designed to mitigate terrorist financing.

Non-Binding Guidance

Customer Information Exchanges

Under the recommendations, VASPs located in the FATF's 37 member countries would exchange originator and beneficiary information when transferring funds or cryptocurrency/VAs between firms, a practice similar to the "travel rule" that currently applies to banks (see Practice Note, Broker-Dealer Anti-Money Laundering Program: Overview: Records of Funds Transfers).

This information includes the:

Originator's and beneficiary's name.
Originator's and beneficiary's account numbers where such accounts are used to process the transaction.
Originator's physical address, national identity number, customer identification number that uniquely identifies the originator to the ordering institution, or date and place of birth.

The aforementioned information does not need to be directly attached to the VA transfer itself; it can be submitted either directly or indirectly as long as the information is transmitted immediately and securely.

Transaction Record

The recommendations require that countries ensure that VASPs keep records of transactions and customer due diligence measures for at least five years, though the form and manner in which they keep such records is not specified. Aspects of an effective customer due diligence processes, as outlined in the recommendations, are:

Identifying the customer and, if applicable, the customer's beneficial owner.
Verifying the customer's identity on a risk basis and on the basis of reliable and independent information, data, or documentation to at least the extent required by the applicable legal or regulatory framework.
Understanding the purpose and intended nature of the business relationship, if relevant.
Obtaining further information in higher risk situations.

Transaction and customer due diligence information must be maintained in such a way that individual transactions can be reconstructed and the relevant elements provided in a timely manner to authorities.

Natural Person Licensing

According to the recommendations, natural persons can be considered VASPs if they are engaged as a business in any VASP activity for or on behalf of another person. If a natural person is a VASP, the recommendations state that such person is required to be licensed or registered in the jurisdiction where the business is located. A natural person's place of business is characterized as either:

where the business is performed;
where the books and records of the business are kept; or
where the natural person resides.

Natural persons are not considered VASPs if they obtain VAs and use them to purchase goods or services on their own behalf or make a one-off exchange or transfer.

Management and Mitigation

The recommendations state that countries should identify, assess, and understand the money laundering and terrorist financing risks inherent in VA activities and focus their AML efforts and terrorist-financing mitigation efforts on higher-risk VAs, covered VA activities, and VASPs, thus implementing a risk-based approach.

The recommendations also note that though VAs may provide a form of value for conducting money laundering and terrorism financing, and VA activities may serve as a mechanism for the illegal transfer of value or funds, countries should not automatically categorize VASPs or VA activities as inherently high risk for money laundering or terrorism financing activities.

Countries should ensure that VASPs in their jurisdiction consider whether they can manage and mitigate the risk of engaging in activities that involve the use of anonymity-enhancing technologies and mechanisms. If it is determined that they cannot manage and mitigate the associated risks, the recommendations state that parties in that jurisdiction should not be permitted to engage in VASP activities.

Enforcement

The recommendations encourage countries to consider tactics such as web-scraping and open-source information in order to identify online advertising or solicitations for business by unlicensed or unregistered entities offering to engage in VASP activities.

The recommendations also stress the importance of coordination between national authorities in the sharing of information related to the regulation and licensing or registration of VASPs. The recommendations state that countries should consider implementing systems such as inter-agency working groups and task forces to enable relevant bodies to cooperate effectively in developing and implementing effective policies and regulations to address money laundering and terrorist financing risk associated with cryptocurrency and VAs.

In a related public statement, FATF said that it will give countries 12 months to comply with the recommendations, with a review to be conducted in June 2020.

Update: On July 3, 2019, the FATF published an updated version of their standards which includes the recommendations on the global regulation of cryptocurrency. For more information, see Legal Update, Updated FATF Standards Include Interpretative Note on Virtual Assets.

FATF Releases Recommendations for Global Cryptocurrency Regulation | Practical Law