On March 19, 2021, the Financial Action Task Force (FATF), the global anti-money laundering standards-setting body, released draft guidance to clarify and supplement its 2019 guidance on a Risk-Based-Approach (RBA) to Virtual Assets (VAs) and Virtual Asset Service Providers (VASPs). While FATF’s guidance is not technically binding on member countries, it is broadly followed by such jurisdictions, in part to avoid inclusion on FATF’s lists of jurisdictions with deficiencies in their anti-money laundering (AML) and countering the financing of terrorism (CFT) regimes. For example, FATF’s recommendation that the so-called “travel rule” be applied to VASPs is being widely implemented by jurisdictions around the globe, although the pace of such implementation varies considerably. Therefore, the draft guidance, which incorporates a number of substantial changes and additions, may have a significant impact on industry going forward.

As described in a FATF press release, there are six main areas of focus for the draft guidance:

  1. “clarify the definitions of VA and VASP to make clear that these definitions are expansive and there should not be a case where a relevant financial asset is not covered by the FATF Standards (either as a VA or as a traditional financial asset);
  2. provide guidance on how the FATF Standards apply to so-called stablecoins;
  3. provide additional guidance on the risks and potential risk mitigants for peer-to-peer transactions;
  4. provide updated guidance on the licensing and registration of VASPs;
  5. provide additional guidance for the public and private sectors on the implementation of the ‘travel rule;’ and
  6. include Principles of Information-Sharing and Co-operation Amongst VASP Supervisors.”

Of particular note are the implications for decentralized exchanges (DEXs) and decentralized applications (DApps), peer-to-peer (P2P) transactions, and implementation of the travel rule.

DEXs and DeFi

The draft guidance notes that “exchange or transfer services” are often provided through “so-called decentralized exchanges or platforms” and that DEXs and DApps “still usually have a central party with some measure of involvement, such as creating and launching an asset, setting parameters, holding an administrative ‘key’ or collecting fees.” The guidance clarifies that a DApp itself is not a VASP because the FATF’s standards “do not apply to underlying software or technology,” but it goes on to state that “entities involved with the DApp may be VASPs under the FATF definition” and adds that owners/operators of DApps are “likely to be a VASP even if other parties play a role in the service or portions of the process are automated.” However, it is not entirely clear how FATF’s approach would apply to a DEX or DApp that did not have any “central party” or whether the organization believes such a model can even exist. Nor is it clear whether the draft guidance fully comports with guidance on DEXs and DApps issued by the United States’ Financial Crimes Enforcement Network (FinCEN) in 2019, which addresses both topics, but in a manner that has continued to create some confusion for industry.

P2P Transactions:

According to the draft guidance, peer-to-peer (P2P) transactions are “not explicitly subject to the AML/CFT obligations under the FATF Recommendations,” but FATF adds that such transactions “could pose heightened risk” particularly if they “gain widespread and mainstream

traction and are readily used as a means of payment or investment without a VASP.” As such, the draft guidance states that VASPs should consider whether any VAs or products they intend to launch or transact with will enable P2P transactions, and how money laundering or terrorist financing risks should be mitigated. VASPs should also consider the extent to which their customers may engage in or be involved with P2P activity. Among other measures, FATF suggests that countries should consider “denying licensing of VASPs if they allow transactions to/from non-obliged entities (i.e., private / unhosted wallets) (e.g., oblige VASPs via the ‘travel rule’ to accept transactions only from/to other VASPs)” or subjecting VASPs that engage in such activity to enhanced supervision or additional regulatory requirements. This focus on the interaction between VASPs and P2P transactions is similarly reflected in FinCEN’s recent proposed rule targeting certain dealings by banks and money services businesses involving so-called “unhosted wallets.”

Travel Rule:

With regard to the travel rule, the FATF guidance provides a variety of additional detail, including with respect to data requirements for ordering and beneficiary VASPs, definitions of relevant terms such “immediately” and “securely,” sanctions screening requirements, and counterparty VASP due diligence. The draft guidance notes that travel rule regulations will come into effect in different jurisdictions at various times, but adds that “[r]egardless of the lack of regulation in the beneficiary jurisdiction, originating entities can require travel rule compliance from beneficiaries by contract or business practice.” The guidance also suggests that VASPs should collect and retain travel-rule related information even where only one VASP is involved in a given transaction.

Request for Feedback:

FATF is requesting feedback from industry on the following areas:

  1. “Does the revised Guidance on the definition of VASP provide more clarity on which businesses are undertaking VASP activities and are subject to the FATF Standards?
  2. What are the most effective ways to mitigate the money laundering and terrorist financing (ML/TF) risks relating to peer-to-peer transactions (i.e., VA transfers conducted without the use or involvement of a VASP or other obliged entity, such as VA transfers between two unhosted wallets)?
  3. Does the revised Guidance in relation to the travel rule need further clarity?
  4. Does the revised Guidance provide clear instruction on how FATF Standards apply to so-called stablecoins and related entities?
  5. Are there any further comments and specific proposals to make the revised Guidance more useful to promote the effective implementation of FATF Standards?”

Given the significant changes in the draft guidance and the global consequences of FATF’s actions, the comment period presents an important opportunity for industry to raise concerns and provide additional suggestions to FATF. Comments are due by April 20, 2021. Steptoe is available to assist interested parties in preparing comments for submission.