FATF’s Finalized Guidance for Virtual Asset Service Providers
On Thursday, the Financial Action Task Force ("FAFT") issued its long-awaited finalized guidance on virtual asset service providers ("VASPs"), giving additional clarity on the characteristics that would qualify an entity as being defined as a VASP.
FATF finalized guidance for regulating virtual assets, which puts customer due diligence requirements on virtual asset service providers (“VASPs”) to combat money laundering and terrorism financing.
The new guidance issued by FATF attempts to clarify how the not-so-clear crypto entities, particularly those in DeFi, may fall under the scope of the travel rule and other financial regulations, along with the project developers and operators in the space.
Overall, the finalized guidance mostly reiterates what we know at a baseline level. The finalized language can be broadly interpreted, leaving flexibility for jurisdictions to determine how to regulate VASPs.
Notably, FATF’s recommendations are non-binding and serve as a goalpost for governments, national regulators, and impacted entities within each jurisdiction.
Regulation in the US is already moving in line with FATF’s guidance. More impactful will be any forthcoming rulemaking from US regulators or legislation from Congress.
Upcoming Policy & Regulatory
In our July report on the Travel Rule, we detailed how the European Commission proposed new anti-money laundering (“AML”) and combatting the financing of terrorism (“CFT”) legislation as an extension to FATF's travel rule that required more recordkeeping and data sharing from virtual asset service providers (VASPs). As a quick refresher on FATF and the travel rule:
FATF. FATF is an international body that develops policies to combat money laundering and terrorist financing. FATF recommendations are non-binding (soft law). FATF members that fail to implement the recommendations face being placed on the FATF gray list or potential expulsion from the organization of 37 nation states and 2 regional organizations
(EC and Gulf Cooperation Council). FATF merely outlines outline standards and policies for AML and promotes collaboration between member states, but it doesn't create legal obligations.
Travel Rule. The Travel Rule puts customer due diligence requirements on regulated financial services companies to collect and store identifying information on their customers - whether businesses or individuals - and submit suspicious activity reports (“SARs”) to authorities when appropriate. It also requires jurisdictions to implement a risk-based approach to virtual assets and ensure that VASPs are registered in some licensing regime that subjects them to adequate regulation and supervision.
In June 2019, FATF recommended the travel should be applied to virtual asset service providers. VASPs are- institutions that handle cryptocurrencies for amounts over USD/EUR 1,000 (varies by jurisdiction). The initial draft guidance generated questions about which types of entities in the cryptocurrency ecosystem would fall under the definition of a VASP and what technical feasibility they possessed to obtain identifying customer information to comply. A major outstanding question related to how decentralized finance (“DeFi”) applications and activity would be covered, if at all Since then, FATF has been studying the tools and options available to covered VASP parties to comply with the travel rule before issuing a more finalized guidance for the Travel Rule.
The latest 12-month study in July found most jurisdictions had not yet introduced the necessary legislation to regulate VASPs, although the private sector had made some progress in implementing the necessary compliance solutions (at least those entities for whom a VASP designation was not in question, such as centralized cryptocurrency exchanges, payment processors, and custodians.
For more details, please read our previous note on the travel rule.
New FATF Guidance for Travel Rule
The new guidance issued by FATF attempts to clarify how the not-so-clear crypto entities, particularly those in DeFi, may fall under the scope of the travel rule, along with the individual developers, creators, and operators operating in the space. Overall, it mostly in-line with the industry's expectations with some slight net positive implications.
Some of the important highlights from the updated guidance:
Software, including decentralized applications (dapps) and crypto platforms, are not VASPs by definition, but the individuals that direct the creation and development of the dapp or platform may qualify as a VASP, particularly if they preserve "control or sufficient influence over the assets, software, protocol, or platform or any ongoing business relationship with users of the software even if this is exercised through a smart contract."
FATF specified that it viewed the functionality of the technology as a paramount determinant factor, as opposed to the technical design, but noted that local jurisdictions must give specific consideration to the underlying financial stack when evaluating which entities are considered VASPs: “The obligations in the FATF Standards stem from the underlying financial services offered without regard to an entity's operational model, technological tools, ledger design, or any other operating feature.”
Non-fungible tokens (“NFTs”) (assumed by FATF to be art and digital collectibles) are generally not classified as virtual assets (“VAs”) under the FATF definition, but that could change depending on how they function. FATF specified, for example, that NFTs that are used for payments or investment purposes may fall constitute VAs and, therefore, centralized entities handling them may be considered VASPs.
Thankfully, FATF’s updated guidance does not suggest DeFi can only exist in a permissioned manner through a centralized, regulated VASP. The language specifically highlights a protocol or application’s level of decentralization of control as a the determinant factor in whether or not it should be consider a VASP. Genuinely decentralized applications and protocols are unlikely to be considered VASPs, while projects that are controlled by founding teams or those with administrative keys are more at risk of being VASPs. FATF astutely notes that many protocols and applications are decentralized in name only (“DINO”), indicating that jurisdictions should be wary of decentralization claims and instead rigorously evaluate whether such entities should actually be considered VASPs. Ultimately, this stance is similar to the one promoted by US regulators, including SEC Chairman Gary Gensler, which is supportive of cryptocurrency applications and blockchain protocols with strong claims on decentralization.
The new guidelines are an honest attempt by FATF to bring clarity to the travel rule. The broad language provides local jurisdictions with some level of interpretation and flexibility to set regulatory parameters. However, there were some notable omissions on certain crypto assets or social organizations that leave us with several important questions:
Where should the line be drawn for sufficient decentralization? The underlying infrastructure upon which applications are built stretch along a wide spectrum of decentralization: most L1 blockchains preserve certain levels of centralization upon launch to quickly build and innovate while sidechain operators maintain admin keys and are not fully decentralized. Even rollups, which are meant to be trust-minimized and permissionless, currently have centralized operators that may be subject to new recordkeeping requirements if FATFs guidelines are strictly enforced.
Is the soft goal of progressive decentralization sufficient for project teams to avoid VASP designation, or does autonomous governance become more imperative at the start? What does this mean for new entrepreneurs and project teams? Very few existing protocols and DeFi applications are fully decentralized. Maker and Uniswap are notable
exemptions but even so, the governance process in early days were centralized and the required a high quorum to vote on proposals.
How should decentralized autonomous organizations (“DAOs”) be viewed in context to the travel rule? DAOs can be socially constructed in a number of ways. How autonomous and widely distributed do DAOs have to be, and with how many voting members, for a DAO to be sufficiently decentralized as to avoid a VASP designation?
Are routing nodes out of scope? Bitcoin's Lightning Network was not specifically mentioned. Routing nodes on the Lightning Network functionally act as money transmitters but they possess no technical capability to abscond with funds or perform customer due diligence. However, while the network itself is highly decentralized, individual nodes are operated by people and, more and more, companies. Could a node on the Lightning Network be considered a VASP?
How will new classes of functional NFTs be regulated? NFTs promise creators better economics with a more equitable share of revenue for their work. So far, NFTs have taken off primarily for art and collectibles and some gaming applications, but more functional NFTs are needed to reach the full potential.
Most regulators in jurisdictions are already considering these points and should ultimately draw the lines between what constitutes a VASP that is subject to customer due diligence and recordkeeping under FATF's travel rule.
FATF's recommendations serve as guidance for global financial jurisdictions, but its guidance is non-binding and implementation timelines are loose For jurisdictions, it provides the necessary framework for its member states to follow. The guidance will ultimately be more meaningful for the larger majority of member states that have not yet introduced significant rules for digital assets, and the guidance can serve as a roadmap for policymakers and regulators in those jurisdictions to help get the ball rolling. Importantly, it creates a coordinated approach between local jurisdictions for more effective regulations that close out some reg arb for VASPs looking to migrate between jurisdictions and serves as a representation of where regulation is likely to go longer term.
Even though FATF issues its guidance with the goal of preventing terrorist financing and money laundering, it still has overlapping implications for other regulatory motives including those relating to tax reporting, investor protection, and financial stability of financial markets. The larger regulatory impact to the crypto industry will be the on-going tussle in the US between regulators, policymakers, and legislators. There are a range of proposals put forth by members of Congress, regulators, and administration officials to clarify how many of the items left for subjective interpretation will be regulated and between which regulatory bodies. In the near-term, the Presidential Working Group on Stablecoins (“PWG”) report is viewed as a first step in forming the US regulatory framework for that large segment of cryptoassets (see our preview of important near-term upcoming regulatory items for more details). That forthcoming report is expected to suggest a dual approach, with some oversight authority reserved for the SEC and new legislation sought to regulate stablecoin issuers as banks.
DeFi will remain an important on-going discussion point that could be impacted by money laundering or tax reporting regulations However, FATF's guidance positively encourages more decentralization and autonomy for projects and social groups - important values that market participants can agree on. For most existing market participants, there is an expectation that a more permissioned DeFi or centralized DeFi (“CeDeFi”) operating environment will be emerge in the medium-term, which can be viewed as a positive given compliance with KYC/AML regulations is seen as a barrier to institutional adoption of digital assets. Proper regulation can provide the green light needed for a larger group of market participants currently on the sidelines to participate in and contribute to the evolution of DeFi.
The benefits of crypto over our existing monetary and legacy systems are becoming more and more apparent. More regulation coming into the space, if enacted thoughtfully, only reinforces a growing consensus view that crypto is here to stay. However, any new regulation must be thoughtful and understanding of the underlying technologies, both its advantages and limitations. Given FATF's honest attempt in providing a regulatory framework to build upon, improving on each iteration of prior guidance proposals, we are hopeful that US regulators and legislators, too, can approach the oversight of this growing and powerful industry with similar nuance and foresight.