Glossary & Acronyms

AEC : Anonymity-Enhanced Cryptocurrency

ICO : Initial Coin Offering

MVTS : Money or Value Transfer Service

NPPS : New Payment Products and Services

P2P : Peer-to-Peer

RBA : Risk Based Approach

VA : Virtual Asset: a digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes. Virtual assets do not include digital representations of fiat currencies, securities and other financial assets that are already covered elsewhere in the FATF Recommendations.

VASP : Virtual Asset Service Provide

VC : Virtual currency

VCPPS : VC payment products and services

Key Definitions

Who or what is considered a Virtual Asset Service Provider (VASP)

FATF defines “Virtual asset service provider” as any natural or legal person who is not covered elsewhere under the Recommendations and as a business conducts one or more of the following activities or operations for or on behalf of another natural or legal person:

• Exchange between virtual assets and fiat currencies;
• Exchange between one or more forms of virtual assets;
• Transfer of virtual assets; and
• Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets;
  • account for services or business models that combine the function of safeguarding the value of a customer’s VAs with the power to manage or transmit the VAs independently from the owner, under the assumption that such management and transmission will only be done according to the owner’s/customer’s instructions.
  • Safekeeping and administration services include persons that have exclusive or independent control of the private key associated with VAs belonging to another person or exclusive and independent control of smart contracts to which they are not a party that involve VAs belonging to another person.
• Participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.

• Natural or legal persons that actively facilitate the offer or issuance of and trading in VAs, including by accepting purchase orders and funds and purchasing VAs from an issuer to resell and distribute the funds or assets, such as ICOs, may also fall within the scope of items (i), (ii), and (iii) as well as within item (v), participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.
• In the context of ICOs, may therefore involve both the jurisdiction’s money transmission regulations as well as its regulations governing securities, commodities, or derivatives activities.
  • The relevant competent authorities in jurisdictions should therefore strive to apply a functional approach that takes into account the relevant facts and circumstances of the platform, assets, and activity involved, among other factors, in determining whether the entity meets the definition of an “exchange” or other obliged entity (such as a securities-related entity) under their national legal framework and whether an entity falls within a particular definition.
• When solely developing or selling the application or platform, may be considered a VASP if they also use the new application or platform to engage as a business in exchanging or transferring funds or conducting any of the other financial activity described above on behalf of another natural or legal person.
  • The FATF does not seek to regulate, as VASPs, natural or legal persons that provide ancillary services or products to a virtual asset network, including hardware wallet manufacturers and non-custodial wallets, to the extent that they do not also engage in or facilitate as a business any of the aforementioned covered VA activities on behalf of their customers.
• (Interpretive Note INR 15) does not exempt specific assets based on terms that may lack a common understanding across jurisdictions or even among industry (e.g., “utility tokens”), because FATF is technology-neutral. The framing of the Recommendations is activity-based and focused on functions in order to provide jurisdictions with sufficient flexibility.
  • Some ICOs, for example, “gaming tokens,” and other “gaming tokens” can be used to obfuscate transaction flows between an in-game token and its exchange for or transfer to a VA. Secondary markets also exist in both the securities and commodities sectors for “goods and services” that are fungible and transferable. For example, users can develop and purchase certain virtual items that act as a store of value and in fact accrue value or worth and that can be sold for value in the VA space.
• See also
  • Definitions and AML/CFT Risks
  • RBA for Pre-paid cards, mobile payments and internet based payment services

FATF Covered entities

• Covered entities: Providers of VCPPS conducting activities which fall within the FATF definition of a financial institution are subject to the applicable FATF Recommendations
  • Apply the relevant FATF Recommendations to any of these categories of covered entities, on a risk basis— depending on the intensity or volume of specific VC activities involved and their own national legal frameworks

What is a Financial Institution as defined by FATF?

• Inclusion in the FATF definition means the FATF Recommendations apply to the subject entity.
  • any natural or legal person who conducts as a business one or more of several specified activities for or on behalf of a customer, most relevant to currently available VCPPS include:
    • persons that conduct as a business Money or value transfer services (MVTS);
    • acceptance of deposits and other repayable funds from the public;
    • issuing and managing means of payment; and
    • trading in foreign exchange, or transferable securities.
    • decentralised VC exchangers, wallet providers, and payments processors/senders

Convertible VC can be used to move value into and out of fiat currencies and the regulated financial system, is likely to present ML/TF risks.

• Under the RBA, countries should focus their AML/CFT efforts on higher-risk convertible VCs.
• May consider regulating financial institutions or DNFBP that send, receive, and store VC, but do not provide exchange or cash-in/cash-out services between virtual and fiat currency.
• Target Convertible VC nodes—i.e., points of intersection that provide gateways to the regulated financial system—and not seek to regulate users who obtain VC to purchase goods or services.

Initial Risk Assessment

• The overall risk should be determined through an assessment of the VASP sector at a national level under the guidance of Recommendation 1.
• Under the risk-based approach and in accordance with paragraph 2 of Interpretive Note to Recommendation 15 (INR 15), countries should identify, assess, and understand the ML/TF risks emerging from this space and focus their AML/CFT efforts on potentially higher-risk VAs, covered VA activities, and VASPs.
  • Countries should require VASPs (as well as other obliged entities that engage in VA financial activities or operations or provide VA products or services) to identify, assess, and take effective action to mitigate their ML/TF risks.
  • focus on the financial conduct or activity surrounding the VA or its underlying technology and how it poses ML/TF risks (e.g., the potential for enhanced anonymity, obfuscation, disintermediation, and decreased transparency or technology, platforms, or VAs that undermine a VASP’s ability to perform AML or CDD)
• Take into account all of the risk factors that the VASP as well as its competent authorities consider relevant, including the types of services, products, or transactions involved; customer risk; geographical factors; and type(s) of VA exchanged, among other factors.
• If customer identification and verification measures do not adequately address the risks associated with non-face-to-face or opaque transactions, the ML/TF risks increase, as does the difficulty in tracing the associated funds and identifying transaction counterparties.
• In the context of cross-border transactions and when there is a lack of clarity on which entities or persons (natural or legal) involved in the transaction are subject to AML/CFT measures and which countries are responsible for regulating (including licensing and/or registering) and supervising or monitoring those entities for compliance with their AML/CFT obligations.

Elements to consider when identifying, assessing, and determining how best to mitigate the risks associated with covered VA activities and the provision of VASP products or services:

• The potentially higher risks associated both with VAs that move value into and out of fiat currency and the traditional financial system and with virtual-to-virtual transactions;
• The risks associated with centralised and decentralised VASP business models;
• The specific types of VAs that the VASP offers or plans to offer and any unique features of each VA, such as AECs, embedded mixers or tumblers, or other products and services that may present higher risks by potentially obfuscating the transactions or undermining a VASP’s ability to know its customers and implement effective customer due diligence (CDD) and other AML/CFT measures;
• The specific business model of the VASP and whether that business model introduces or exacerbates specific risks;
• Whether the VASP operates entirely online (e.g., platform-based exchanges) or in person (e.g., trading platforms that facilitate peer-to-peer exchanges or kiosk-based exchanges);
• Exposure to Internet Protocol (IP) anonymizers such as The Onion Router (TOR) or Invisible Internet Project (I2P), which may further obfuscate transactions or activities and inhibit a VASP’s ability to know its customers and implement effective AML/CFT measures;
• The potential ML/TF risks associated with a VASP’s connections and links to several jurisdictions;
• The nature and scope of the VA account, product, or service (e.g., small value savings and storage accounts that primarily enable financially-excluded customers to store limited value);
• The nature and scope of the VA payment channel or system (e.g., open- versus closed-loop systems or systems intended to facilitate micro-payments or government-to-person/person-to-government payments); as well as
• Any parameters or measures in place that may potentially lower the provider’s (whether a VASP or other obliged entity that engages in VA activities or provides VA products and services) exposure to risk (e.g., limitations on transactions or account balance).

Types of VA activities conducted by natural or legal persons
Countries should consider whether the activities involve a natural or legal person that conducts as a business the five functional activities described for or on behalf of another natural or legal person, both of which are essential elements to the definition and the latter of which implies a certain level of “custody” or “control” of the virtual asset, or “ability to actively facilitate the financial activity” on the part of the natural or legal person that conducts the business for a customer.

• “Traditional” VA exchanges or VA transfer services that actively facilitate the exchange of VA for real currency or other forms of VA and/or for precious metals for remuneration(e.g. for a fee, commission, spread, or other benefit). These models typically accept a wide range of payment methods, including cash, wires, credit cards, and VAs.
• Providers of kiosks—often called “ATMs,” bitcoin teller machines,” “bitcoin ATMs,” or “vending machines”—may also fall into the above definitions because they provide or actively facilitate covered VA activities via physical electronic terminals (the kiosks) that enable the owner/operator to actively facilitate the exchange of VAs for fiat currency or other VAs.
• VA escrow services, including services involving smart contract technology, that VA buyers use to send or transfer fiat currency in exchange for VAs, when the entity providing the service has custody over the funds;
• Brokerage services that facilitate the issuance and trading of VAs on behalf of a natural or legal person’s customers;
• Order-book exchange services, which bring together orders for buyers and sellers, typically by enabling users to find counterparties, discover prices, and trade, potentially through the use of a matching engine that matches the buy and sell orders from users; and
• Advanced trading services that allow users to buy portfolios of VAs and access more sophisticated trading techniques, such as trading on margin or algorithm-based trading.
• Peer-to-Peer trading platforms: where the platform facilitates the exchange, transfer, or other financial activity involving VAs (as described in VASP definition items (i) through (v), including by purchasing VAs from a seller when transactions or bids and offers are matched on the trading platform and selling the VAs to a buyer, then the platform is a VASP conducting exchange and/or transfer activity as a business on behalf of its customers.
• Decentralized VA payment system may be a VASP when they engage as a business in facilitating or conducting the activities previously described on behalf of another natural or legal person.
  • Decentralized exchanges or platforms “Decentralized (distributed) application (DApp),”: software programs that operate on a peer-to-peer network of computers running a blockchain platform—a type of distributed public ledger that allows the development of secondary blockchains—designed such that they are not controlled by a single person or group of persons and thus do not have an identifiable administrator.
  • An owner/operator of a DApp may deploy it to perform a wide variety of functions, including acting as an unincorporated organization, such as a software agency, to provide virtual asset activities.
  • When DApps facilitate or conduct the exchange or transfer of value (whether in VA or traditional fiat currency), the DApp, its owner/operator(s), or both may fall under the definition of a VASP.
• Technology neutral:
  • AML/CFT regulations will apply to covered VA activities and VASPs, regardless of the type of VA involved in the financial activity (e.g., a VASP that uses or offers AECs to its customers for various financial transactions), the underlying technology, or the additional services that the platform potentially incorporates (such as a mixer or tumbler or other potential features for obfuscation).

Risk Based Approach and National Coordination

Application of FATF Standards to Countries and Competent Authorities

For the purposes of applying the FATF Recommendations, countries should consider all funds- or value-based terms in the Recommendations, such as “property,” “proceeds,” “funds,” “funds or other assets,” and other “corresponding value,” as including VAs.

• FATF Recommendation 1
  • Apply a RBA to ensure that measures to prevent or mitigate ML/TF risks are commensurate with the risks identified.
  • The risk assessment should (i) enable all relevant authorities to understand how specific VA products and services function, fit into, and affect all relevant regulatory jurisdictions for AML/CFT purposes (e.g., money transmission and payment mechanisms, VA kiosks, VA commodities, VA securities or related issuance activities, etc., as highlighted in the VASP definition) and (ii) promote similar AML/CFT treatment for similar products and services with similar risk profiles.
    • The ML/ TF risk of convertible VC differ vastly upon the distinction between centralised and decentralised VC.
    • Convertible decentralised VCPPSs in general are of higher risk of ML/FT requiring the application of enhanced due diligence measures.
      • Due to anonymity and resulting challenges to conduct a proper identification of the participant
    • Require VASPs, financial institutions and DNFBP to identify, assess, and take effective action to mitigate their ML/TF risks associated with VCPPS by applying a RBA to ensure that appropriate measures to prevent or mitigate those risks are implemented.
    • Regulate exchanges platforms between convertible virtual currencies and fiat currencies (i.e., convertible virtual currency exchangers).
      • If prohibiting VC activities, based on their own risk assessment (including, e.g., uptake trends) and national regulatory context in order to support other policy goals, they should take into account, among other things, the impact a prohibition would have on the local and global level of ML/TF risks, including whether prohibiting VC payments activities could drive them underground, where they will continue to operate without AML/CFT controls or oversight.
      • Countries also need to take into account the cross-border element of VCPPS in their risk mitigation strategies.
  • Consider examining the relationship between AML/CFT measures for covered VA activities and other regulatory and supervisory measures (e.g., consumer protection, prudential safety and soundness, network IT security, tax, etc.), as the measures taken in other fields may affect the ML/TF risks.
  • The requirement applies in relation to the risks associated with new technologies under Recommendation 15
• FATF Recommendation 2
  • National cooperation and coordination: Put into place mechanisms, such as inter-agency working groups, to enable policy-makers, regulators, supervisors, the financial intelligence unit (FIU), and law enforcement authorities to cooperate with each other and any other relevant competent authorities to develop and implement effective policies, regulations and other measures to address VC ML/TF risks.
  • Undertake a risk assessment of VCPPS/VASP that
    • (1) enables all relevant authorities to understand how specific VC products and services function, fit into, and impact all relevant regulatory jurisdictions for AML/CFT purposes (e.g., money transmission/payments systems; VC ATMs; commodities; securities or derivatives) and
    • (2) promotes similar AML/CFT treatment for similar products and services having similar risk profiles.
    • Countries should also consider adopting their national cooperation and coordination mechanism(s) that facilitates engagement with the VC private sector.

Treatment of Virtual Assets: Interpreting the Funds or Value-Based Terms

• Recommendation 3
o The ML offence should extend to any type of property, regardless of its value, that directly represents the proceeds of crime, including in the context of VAs. When proving that property is the proceeds of crime, it should not be necessary that a person be convicted of a predicate offence, including in the case of VA-related proceeds.
• Recommendation 4
o The confiscation and provisional measures should also apply to Vas with a court order.
• Recommendation 5
o The TF offences described in Recommendation 5 should extend to VAs, whether from a legitimate or illegitimate source (see INR. 5)
• Recommendation 6
o Asset/funds freeze apply also to VAs—of designated persons or entities and ensure that no VAs are made available to or for their benefit.
• Recommendation 7
o Targeted financial sanctions related to proliferation should freeze without delay VAs as well —of designated persons or entities and ensure that no VAs are made available to them.
• Recommendation 8
o Apply measures, in line with the risk-based approach, to protect non-profit organisations from terrorist financing abuse, including when the clandestine diversion of funds to terrorist organisations involves VAs.
• Recommendation 30
o applies to covered VA activities and VASPs in the context of the applicability of all funds- or value-based terms as with other types of property or proceeds of crime, countries should ensure that competent authorities have responsibility for expeditiously identifying, tracing, and initiating actions to freeze and seize VA- related property that is, or may become, subject to confiscation or is suspected of being the proceeds of crime. Implement Recommendation 30, regardless of how the jurisdiction classifies VAs in its national legal framework (i.e., regardless of how VAs are categorized legally with respect to the property laws of the jurisdiction).
• Recommendation 33 (statistics on the suspicious transaction reports (STRs)
o In the context of VASPs and VA activities, maintain statistics on the STRs that competent authorities receive from VASPs and from other obliged entities, such as banks, that submit STRs relating to VASPs, VAs, or VA activities. As with other Recommendations (e.g., Recommendation 3 through 8, 30, 35, and 38), countries should also maintain statistics on any VAs that competent authorities freeze, seize, or confiscate, regardless of how the jurisdiction categorizes VAs with respect to the property laws of its national legal framework.
• Recommendation 35
  • Adopt a range of effective, proportionate and dissuasive sanctions (criminal, civil or administrative) available to deal with natural or legal persons covered by Recommendations 6 and 8 to 23, that fail to comply with the applicable AML/CFT requirements.
  • Decentralised convertible VCPPS, presents numerous challenges to applying traditional law enforcement tools and conducting successful prosecutions.
    • Anonymity of most decentralised VC transactions makes it difficult to determine the identities of the persons involved. (hyperlink to the Lightening network section)
      • The historical transactions records generated on the blockchain by the underlying protocols are not necessarily associated with real world identity.
      • This level of anonymity limits the blockchain’s usefulness for monitoring transactions and identifying suspicious activity, and presents a significant challenge to law enforcement’s ability to trace illicit proceeds that are laundered using decentralised convertible VC.
    • Due to decentralization, law enforcement cannot target one central location or entity for investigative purposes.
    • Conduct a review of the challenges that exist in a specific country context to identify potential gaps and take action, as appropriate. Some basic measures to implement include
      • Licensing or registration of VC-exchangers, and
      • application of customer identification/verification and recordkeeping requirements.
• Recommendation 38
o contains funds- or value-based terms and applies in the context of VAs with regards to International Co-operation and the implementation of Recommendations 37 through 40, as described in paragraph 8 of (INR 15).

Licensing or Registration

• designate one or more authorities that have responsibility for licensing and/or registering VASPs in accordance with (INR 15) paragraph 3, based on
  • where they are created
    • includes the incorporation of companies or any other mechanism that is used domestically to formalise the existence of a legal entity, such as registration in the public register, commercial register, or any equivalent register of companies or legal entities; recognition by a notary or any other public officer; filing of the company bylaws or articles of incorporation; allocation of a company tax number, etc.
  • Place of business
    • Natural person VASP should be required to be licensed or registered in the jurisdiction where its place of business is located.
      • the primary location where the business is performed or where the business’ books and records are kept as well as where the natural person resides (i.e., where the natural person is physically present, located, or resident).
      • When a natural person conducts business from his/her residence, or a place of business cannot be identified, his/her primary residence may be regarded as his/her place of business.
    • Location of the server
      • The place of business may also include the location of the server of the business.80.
  • Conditions on licensing or registering VASPs should be able to effectively supervise the VASPs, to allow for sufficient supervisory hold and could potentially include, requiring a resident executive director, substantive management presence, or specific financial requirements.
    • Host jurisdictions may therefore require registration or licencing of VASPs whose services can be accessed by or are made available to people residing or living within their jurisdiction.
    • Implement legal or regulatory measures to prevent criminals or their associates from holding, or being the beneficial owner of, a significant or controlling interest, or holding a management function in a VASP. Such measures should include requiring VASPs to seek authorities’ prior approval for substantive changes in shareholders, business operations, and structures.
    • National authorities should have mechanisms to monitor the VASP sector as well as other obliged entities that may engage in covered VA activities or operations or provide covered VA products or services and ensure that appropriate channels are in place for informing VASPs and other obliged entities of their obligation to register or apply for a license with the relevant authority.
      • designate an authority responsible for identifying and sanctioning unlicensed or unregistered VASPs (as well as other obliged entities that engage in VA activities).
    • Even countries that choose to prohibit VA activities or VASPs in their jurisdiction should have in place tools and authorities to identify and take action against natural or legal persons that fail to comply with their legal obligations (Recommendation 15).
      • consider web-scraping and open-source information to identify online advertising or possible solicitations for business by an unregistered or unlicensed entity;
      • information from industry circles (including by establishing channels for receiving public feedback);
      • FIU or other information from reporting institutions, such as STRs or bank-provided investigative leads that may reveal the presence of an unlicensed or unregistered natural or legal person VASP;
      • non-publically available information, such as whether the entity previously applied for a license or registration or had its license or registration withdrawn and law enforcement and intelligence reports; as well as other investigative tools or capabilities.
    • Establish co-ordination between various national authorities involved in the regulation and licensing or registration of VASPs is important (Recommendation 2).
• Recommendation 14
  • Register or license natural or legal persons that provide MVTS in the country, and ensure their compliance with the relevant AML/CFT measures and monitor for compliance.
  • The registration/licensing requirements apply to domestic entities providing convertible VC exchange services
  • Convertible VC exchangers that transfer value digitally via the internet, are not subject to territorial boundaries and generally offer VCPPS to persons in countries in which they are not physically present, so it is very important that all home countries apply domestic licensing or registration requirements when required by the FATF Recommendations.
  • Proper oversight by the home jurisdiction and adequate cooperation and information exchange between competent authorities between jurisdictions where the entity provides services is of high importance.
• Recommendation 15
  • Requires countries (and FIs licensed and operated therein) to identify and assess ML/TF risks relating to the development of new products and new business practices, including new delivery mechanisms, and the use of new or developing technologies for both new and pre-existing products.
  • This includes VCPPS.
  • The amended FATF Recommendation 15 requires that VASPs be regulated for anti-money laundering and combating the financing of terrorism (AML/CFT) purposes, licenced or registered, and subject to effective systems for monitoring or supervision.
    • Interpretive Note to Recommendation 15 to further clarify how the FATF requirements should apply in relation to VAs and VASPs, in particular with regard to the application of the risk-based approach (RBA) to VA activities or operations and VASPs;

Supervision or Monitoring

• Recommendations 26 and 27 (also paragraph 5 of (INR 15))
  • Require countries to ensure that VASPs are also subject to adequate regulation and supervision or monitoring for AML/CFT and are effectively implementing the FATF Recommendations, in line with their ML/TF risks.
  • VASPs should be supervised or monitored by a competent authority, not a self-regulatory body (SRB), which should conduct risk-based supervision or monitoring.
    • Supervisors should have adequate powers to supervise or monitor and ensure compliance by VASPs, including the authority to conduct inspections, compel the production of information, and impose a range of disciplinary and financial sanctions, including the power to withdraw, restrict, or suspend the VASP’s license or registration.
  • Given the cross-border nature of VASPs’ and the potential challenges in associating a particular VASP with a single jurisdiction, international co-operation between relevant supervisors is also of specific importance, as underlined in paragraph 8 of (INR 15).
    • Also refer to the relevant work of other international standard-setting bodies for useful guidance in this respect, such as the International Organization of Securities Commissions as well as the Basel Committee on Banking Supervision.
  • When a DNFBP engages in VASP activity, countries should subject the entity to all of the relevant measures for VASPs set forth in the FATF Recommendations, including with respect to supervision or monitoring.

• Paragraph 7 of (INR 15)—the preventive measures contained in Recommendations 10 through 21 apply to both countries and obliged entities in the context of VAs and VA financial activities.
o Recommendations 9, 22, and 23 also have indirect applicability in this space
• Recommendation 9
o ensures that financial institution secrecy laws do not inhibit the implementation of the FATF Recommendations which also apply to VASPs, despite the lack of explicit inclusion or mention of VASPs.
• Recommendation 10
  • Design CDD processes to meet the FATF Standards and national legal requirements to help VASPs in assessing the ML/TF risks associated with covered VA activities or business relationships or occasional transactions above the threshold.
    • Initial CDD comprises identifying the customer, the customer’s beneficial owner and verifying the customer’s identity on a risk basis and on the basis of reliable and independent information, data, or documentation to at least the extent required by the applicable legal or regulatory framework.
    • The CDD process also includes understanding the purpose and intended nature of the business relationship, and obtaining further information in higher risk situations.
    • In cases where a VASP carries out an occasional transaction, however, the designated threshold above which VASPs are required to conduct CDD is USD/EUR 1 000, in accordance with (INR 15), paragraph 7(a).
  • Kiosks
    • Some jurisdictions may consider the use of VA kiosks (which some may refer to as VA “ATMs,” as described in the section above on VA services and business models) as an occasional transaction, whereby the provider or owner/operator of the kiosk and the customer using the kiosk transact on a one-off basis.
    • Other jurisdictions may require owners/operators of such kiosks (i.e., the kiosk provider) to register as a VASP or other financial institution (e.g., as a money transmitters) and may not consider such transactions to be occasional.
    • Due to high risk associated with VAs, countries may therefore go further than Recommendation 10 by requiring full CDD for all transactions involving VAs or performed by VASPs (as well as other obliged entities, such as banks that engage in VA activities), including “occasional transactions” below the USD/EUR 1,000 threshold. Such an approach is consistent with the risk-based approach set out in Recommendation 1, provided that it is justified on the basis of the country’s assessment of risks (e.g., through the identification of higher risks).
  • Enhanced CDD measures on VASPs located in or VA transfers from or associated with particular countries present potentially higher risks for money laundering or terrorist financing (see INR. 10, paragraph 15(b)), EDD measures include:
    • corroborating the identity information received from the customer, such as a national identity number, with information in third-party databases or other reliable sources;
    • potentially tracing the customer’s IP address; and
    • searching the Internet for corroborating activity information consistent with the customer’s transaction profile, provided that the data collection is in line with national privacy legislation.
    • Also consider
      • obtaining additional information on the customer and intended nature of the business relationship, obtaining information on the source of funds of the customer, obtaining information on the reasons for intended or performed transactions, and conducting enhanced monitoring of the relationship.
      • the measures required for FIs that engage in fiat-denominated activity that is non-face-to-face (such as mobile services) or that is comparable to VA transactions in assessing their risks and developing mitigating controls accordingly.
    • Record Keeping:
      • require VASPs and other obliged entities to keep documents, data, or information collected under the CDD process up-to-date and relevant by undertaking reviews of existing records, particularly for higher-risk customers or categories of VA products or services, and conducting ongoing due diligence (see Section IV for further discussion on ongoing due diligence and monitoring obligations for VASPs and other obliged entities). Such transactional and record reviews are vital for effective supervision.
  • Higher risk classification of VAs/VASPs
    • There is no universally agreed upon definition or methodology for determining whether a jurisdiction, in which a VASP operates or from which VA transactions may emanate, represents a higher risk for ML/TF, the consideration of country-specific risks, in conjunction with other risk factors, provides useful information for further determining potential ML/TF risks. Indicators of higher risk include:
      • Countries or geographic areas identified by credible sources (e.g. supra-national or international bodies such as the International Monetary Fund, the World Bank, and the Egmont Group of Financial Intelligence Units) as providing funding or support for terrorist activities or that have designated terrorist organisations operating within them;
      • Countries identified by credible sources as having significant levels of organized crime, corruption, or other criminal activity, including source or transit countries for illegal drugs, human trafficking, smuggling, and illegal gambling;
      • Countries that are subject to sanctions, embargoes, or similar measures issued by international organisations such as the United Nations; and
      • Countries identified by credible sources as having weak governance, law enforcement, and regulatory regimes, including countries identified by the FATF statements as having weak AML/CFT regimes, and for which financial institutions should give special attention to business relationships and transactions.
  • Countries also should consider the risk factors associated with the VA product, service, transaction, or delivery channel, including whether the activity involves pseudonymous or “anonymous transactions,” “non-face-to-face business relationships or transactions,” and/or “payment[s] received from unknown or un-associated third parties” (see INR. 10 15(c).
• Recommendation 11
  • ensure that VASPs maintain all records of transactions and CDD measures for at least five years in such a way that individual transactions can be reconstructed and the relevant elements provided swiftly to competent authorities.
  • Transaction records on transactions and information obtained through CDD measures, include:
    • information relating to the identification of the relevant parties, the public keys (or equivalent identifiers), addresses or accounts involved (or equivalent identifiers), the nature and date of the transaction, and the amount transferred, etc.
    • The public information on the blockchain or other relevant distributed ledger of a particular VA may provide a beginning foundation for recordkeeping.
    • Sole reliance on the blockchain or other type of distributed ledger underlying the VA for recordkeeping is not sufficient for compliance with Recommendation 11.
      • The information available on the blockchain or other type of distributed ledger may enable relevant authorities to trace transactions back to a wallet address, though may not readily link the wallet address to the name of an individual. Additional information will be necessary to associate the address to a real or natural person.
• Recommendation 12
  • implement measures requiring obliged entities such as VASPs to have appropriate risk management systems in place to determine whether customers or beneficial owners are foreign politically exposed persons (PEPs) or related or connected to a foreign PEP and take additional measures beyond performing normal CDD (Recommendation 10), including identifying the source of funds.
• Recommendation 13
  • obligations in addition to performing normal CDD measures when engaging in cross-border correspondent relationships.
  • Applies to traditional FIs that engages in covered VA activities,
  • Other business relationships or covered VA activities in the VASP sector may have characteristics similar to cross-border correspondent banking relationships.
    • INR. 13 stipulates that for correspondent banking and other similar cross-border relationships, FIs should apply criteria (a) to (e) of Recommendation 13, in addition to performing normal CDD measures. “Other similar relationships” includes money or value transfer services (MVTS) when MVTS providers act as intermediaries for other MVTS providers or where an MVTS provider accesses banking or similar services through the account of another MVTS customer of the bank (see 2016 FATF Guidance on Correspondent Banking Relationships).
• Recommendation 14
  • register or license natural or legal persons that provide MVTS in the country and ensure their compliance with the relevant AML/CFT measures.
• Recommendation 15
  • In October 2018, the FATF adopted updates to Recommendation 15, which reinforce the fundamental risk-based approach and related obligations for countries and obliged entities in the context of new technologies, in order to clarify its application in the context of VAs, covered VA financial activities, and VASPs.
  • (INR 15), which the FATF adopted in June 2019 defines more specifically how the FATF requirements apply in relation to VAs, covered VA activities, and VASPs,
  • Consider whether the VASP can manage and mitigate the risks of engaging in activities that involve the use of anonymity-enhancing technologies or mechanisms, including but not limited to AECs, mixers, tumblers, and other technologies that obfuscate the identity of the sender, recipient, holder, or beneficial owner of a VA. If the VASP cannot manage and mitigate such risks, then the VASP should not be permitted to engage in such activities.
• Recommendation 16
  • To prevent terrorists and other criminals from having unfettered access to electronically-facilitated funds transfers—which the FATF termed “wire transfers”—for moving their funds and for detecting such misuse when it occurs. Applies to VASPs in accordance with the functional approach of the FATF Recommendations (are functionally analogous to wire transfers):
    • regardless of whether the value of the traditional wire transfer or the VA transfer is denominated in fiat currency or a VA.
    • May adopt a de minimis threshold for VA transfers of USD/EUR 1,000,
    • Recommendation 16 should apply to VASPs whenever the transactions involve:
      • a traditional wire transfer, or
      • a VA transfer or other related message operation between a VASP and another obliged entity (e.g., between two VASPs or between a VASP and another obliged entity, such as a bank or other FI).
    • Required to obtain, hold, and transmit required originator and beneficiary information in order to identify and report suspicious transactions, monitor the availability of information, take freezing actions, and prohibit transactions with designated persons and entities.
      • • The required information includes the:
        • originator’s name (i.e., the sending customer);
        • originator’s account number where such an account is used to process the transaction (e.g., the VA wallet);
        • originator’s physical (geographical) address, or national identity number, or customer identification number (i.e., not a transaction number) that uniquely identifies the originator to the ordering institution, or date and place of birth;
        • beneficiary’s name; and
        • beneficiary account number where such an account is used to process the transaction (e.g., the VA wallet).
    • VASPs or other obliged entities should transmit the required originator and beneficiary information immediately and securely,
      • providers should protect the integrity and availability of the required information to facilitate recordkeeping (among other requirements) and the use of such information by receiving VASPs.
    • Require both the ordering and beneficiary institution under their national frameworks to make the above required information available to appropriate authorities upon request.
    • Require both ordering and beneficiary institutions to take freezing actions and prohibit transactions with designated persons and entities (i.e., screening customers in order to comply with their targeted financial sanctions obligations).
    • In instances in which a VA transfer involves only one obliged entity on either end of the transfer (e.g., when an ordering VASP or other obliged entity sends VAs on behalf of its customer, the originator, to a beneficiary that is not a customer of a beneficiary institution but rather an individual VA user who receives the VA transfer using his/her own distributed ledger technology (DLT) software, such as an unhosted wallet), countries should still ensure that the obliged entity adheres to the requirements of Recommendation 16.
      • VASPs receiving a VA transfer from an entity that is not a VASP or other obliged entity (e.g., from an individual VA user usinghis/her own DLT software, such as an unhosted wallet), should obtain the required originator information from their customer.
    • “Intermediary VASPs” or other intermediary obliged entities or FIs that facilitate VA transfers as an intermediate element in a chain of VA transfers should also comply with the requirements of Recommendation 16.
    • Intermediary institutions involved in VA transfers also have obligations under Recommendation 16 to identify suspicious transactions, take freezing actions, and prohibit transactions with designated persons and entities—just like ordering and beneficiary VASPs
    • Technology-neutral approach
      • the required information need not be communicated as part of (or incorporated into) the transfer on the blockchain or other distributed ledger platform itself.
• Recommendation 17
  • allows reliance on third parties to introduce business and/or perform part of the CDD process, including the identification and verification of customers’ identities.
    • The third party, however, must be a regulated entity that the competent authorities supervise and monitor for AML/CFT, with measures in place for compliance with CDD and recordkeeping requirements.
    • Countries may permit VASPs to act as third parties.
• Recommendation 18
  • requires VASPs to have internal controls in place with a view to establishing the effectiveness of the AML/CFT policies and processes and the quality of the risk management across its operations, departments, branches and subsidiaries, both domestically and abroad.
  • Internal controls should include appropriate governance arrangements where responsibility for AML/CFT is clearly allocated and a compliance officer is appointed at management level; controls to monitor the integrity of staff, which are implemented in accordance with the applicable local legislation; ongoing training of staff; and an (external or internal) independent audit function to test the system.
• Recommendation 19
  • VASPs need to apply enhanced due diligence measures to business relationships and transactions with natural and legal persons from higher risk countries, which include countries for which enhanced due diligence measures are called for by the FATF.
• Recommendation 20
  • VASPs are required to file STRs
  • Update existing reporting mechanisms or forms in order to enable providers or other obliged entities to report specific indicators that may be associated with VA activity, such as device identifiers, IP addresses with associated time stamps, VA wallet addresses, and transaction hashes.
• Recommendation 21
  • tipping-off and confidentiality measures should apply to VASPs.
  • VASPs, their directors, officers, and employees, where applicable, should be protected by law from criminal and civil liability for breach of any restriction on disclosure of information and prohibited by law from disclosing (or “tipping-off”) STRs.

Transparency and Beneficial Ownership of Legal Persons and Arrangements

• Recommendation 24 and Recommendation 25
  • Take measures to prevent the misuse of legal persons and arrangements for money laundering and terrorist financing, including taking measures to prevent the misuse of VASPs and consider measures to facilitate access to beneficial ownership and control information by VASPs undertaking the requirements set out in Recommendations 10 and 22.

Operational and Law Enforcement

• Recommendation 29
  • STRs filed by VASPs (or other obliged entities such as traditional FIs that may be operating in the VA space or engaging in covered VA activities) under Recommendation 20 must be filed with the FIU.
  • FIUs should be able to obtain additional information from reporting entities in their jurisdiction, which include VASPs, and should have access on a timely basis to the financial, administrative, and law enforcement information that the FIU requires to undertake its functions properly
• Recommendation 31
  • Countries and competent authorities should be able to obtain access to all necessary documents and information, including powers to use compulsory measures for the production of records, held by VASPs.
  • Need effective mechanisms in place to identify whether natural or legal persons such as VASPs hold or control VA accounts or wallets and mechanisms for ensuring that competent authorities have a process to identify assets, including VAs, without prior notification to the owner.
• Recommendation 30 and Recommendation 33 (applicable via funds- or value-based terms)
• Recommendation 32
  • Take a risk-based approach in considering whether to apply Recommendation 32 to VASPs based on (a) whether the activities of VASPs and with VAs fall under the parameters of transportation of physical monetary instruments and (b) how establishing requirements for declaration and systems for detection of cross-border movement of such assets would work in practice as well as how they would mitigate ML/TF risks in their jurisdiction.
• Recommendation 34
  • The relevant competent authorities should establish guidelines and provide feedback that will assist VASPs (as well as other obliged entities, including traditional FIs) in applying national measures to combat money laundering and terrorist financing and, in particular, in detecting and reporting suspicious transactions—whether virtual/fiat or virtual/virtual.

International Cooperation

• Recommendation 36 through 40
  • Effective implementation of the requirements relating to international co-operation is important for limiting the ability of providers’ of VA activities in one jurisdiction from having an unfair competitive advantage over providers in other, potentially more regulated, jurisdictions and limit jurisdiction shopping or hopping or regulatory arbitrage.
  • Recognizing that effective regulation, supervision, and enforcement relating to the VASP sector requires a global approach and a level regulatory framework across jurisdictions.
• Recommendation 37
  • Countries should have in place the tools necessary to co-operate with one another, provide mutual legal assistance;
• Recommendation 38
  • help identify, freeze, seize, and confiscate the proceeds and instrumentalities of crime that may take the form of VAs as well as other traditional assets associated with VASP activities; and
• Recommendation 39
  • provide effective extradition assistance in the context of VA-related crimes or illicit actors who engage in illicit activities.
• FIUs co-operate and exchange information on relevant STRs with their counterparts in a timely manner, especially in relation to cross-border VA activities or VASP operations
  • Paragraph 8 of (INR 15) supervisors of VASPs exchange information promptly and constructively with their foreign counterparts.
• International co-operation is also relevant in the context of VASPs that seek to register or license themselves in one jurisdiction but provide products or services “offshore” to customers located in other jurisdictions.
• Many countries do not have legal frameworks that allow them to criminalize certain VA-related ML/TF activities, which could further limit their ability to provide effective mutual legal assistance in situations where dual criminality is required.

DNFBPs that Engage in or Provide Covered VA Activities

• Should be subject to all of the measures for VASPs set forth in the FATF Recommendations (e.g., when a casino offers VA-based gaming or engages in other covered VA activities, products, or services)
• Recommendation 22 and Recommendation 23 set out the CDD, recordkeeping, and other requirements for certain types of DNFBPs in the following situations:
  • casinos,
  • real estate agents,
  • dealers in precious metals and stones,
  • lawyers, notaries, other independent legal professionals and accountants, and
  • trust and company service providers
• Recommendation 22 specifically notes that the requirements set out in Recommendations 10, 11, 12, 15, and 17 apply to DNFBPs.
• Recommendation 28 requires subjecting DNFBPs to regulatory and supervisory measures.
  • Level of supervision and regulation should be on par with FIs and not to DNFBP-level supervision.
    • Where a DNFBP engages in covered VASP activities, countries should subject the DNFBP to a higher level of supervision (e.g., “DNFBP plus” supervision), consistent with the higher level of supervision for all VASPs as laid out in Recommendations 26 and 27.

Risk-Based Approach to Supervision or Monitoring of VASPs Understanding the ML/TF Risks

• In the case of supervision, the risk-based approach applies to the way in which supervisory authorities allocate their resources, including supervisors discharging their functions in a way that is conducive to the application of the risk-based approach by VASPs.
• An effective risk-based regime should reflect a country’s policy, legal, and regulatory approach.
o The national policy, legal, and regulatory framework should also reflect the broader context of financial sector policy objectives, including financial inclusion, financial stability, financial integrity, and financial consumer protection goals.
• Supervisors should also develop a deep understanding of the VASP market, its structure, and its role in the financial system and the country’s economy.
• Draw on a variety of sources to identify and assess the ML/TF risks associated with VA products and VASPs. Such as the jurisdiction’s national or sectoral risk assessments, domestic or international typologies and supervisory expertise, and FIU guidance and feedback.
• Work with the sector to understand its risks and to help the private sector in developing its own understanding of the risks.
• take into account the level of risk associated with the VASPs’ products and services, business models, corporate governance arrangements, financial and accounting information, delivery channels, customer profiles, geographic location, countries of operation, VASPs’ level of compliance with AML/CFT measures, as well as the risks associated with specific VA tokens or products that potentially obfuscate transactions or undermine the ability of VASPs and supervisors to implement effective AML/CFT measures.
o Supervisors should also look at the controls in place in a VASP, including the quality of a VASP’s risk management policy or the functioning of its internal oversight mechanisms.
• Prudential Regulations: entities that engage in covered VA activities are subject to prudential regulations (i.e., where VASPs are traditional FIs subject to the Core Principles, such as banks, insurance companies, securities providers, or investment companies)
o This involves appropriate information sharing and collaboration between prudential and AML/CFT supervisors.
• Review assessment of the risk profiles of both the VASP sector and VASPs periodically and update when circumstances change materially or relevant new threats emerge.

Mitigating the ML/TF Risks

• Supervisors should allocate and prioritize more supervisory resources to areas of higher ML/TF risk.
  • give priority to the potential areas of higher risk, either within the individual VASP (e.g., to the particular products, services, or business lines that a VASP may offer, such as particular VAs or VA services like AECs or mixers and tumblers that may further obfuscate transactions or undermine the VASP’s ability to implement CDD measures) or to VASPs operating in a particular sector (e.g., to VASPs that only or predominantly facilitate virtual-to-virtual financial activities or that offer particular VA obfuscating products or services, or VASPs that facilitate VA transfers on behalf of their customers to individual users that are not customers of another regulated entity, such as a beneficiary institution).
  • VASPs should understand that a flexible risk-based approach does not exempt them from applying effective AML/CFT controls.
• o Ways in which supervisors can adjust their approach include:
  • Adjusting the type of AML/CFT supervision or monitoring: supervisors should employ both offsite and onsite access to all relevant risk and compliance information.
  • Adjusting the frequency and nature of ongoing AML/CFT supervision or monitoring: supervisors should adjust the frequency of AML/CFT examinations in line with the risks identified and combine periodic reviews and ad hoc AML/CFT supervision as issues emerge (e.g., as a result of whistleblowing, information from law enforcement, analysis of financial reporting or other supervisory findings).
    • Other risk-based approaches to supervision could include consideration of the geographic location, registration or licensing status, customer base, transaction type (e.g., virtual/fiat or virtual/virtual transactions), VA type, number of accounts or wallets, revenue, products or services offered (e.g., more transparent services versus those products or services that obfuscate transactions, such as AECs), prior history of non-compliance, and/or significant changes in management.
  • Adjusting the intensity of AML/CFT supervision or monitoring:
    • decide on the appropriate scope or level of assessment in line with the risks identified, with the aim of assessing the adequacy of VASPs’ policies and procedures that are designed to prevent VASPs’ abuse. Examples of more intensive supervision could include detailed testing of systems and files to verify the implementation and adequacy of the VASPs’ risk assessment, reporting and recordkeeping policies and processes, internal auditing, interviews with operation staff, senior management and the Board of Directors, where applicable.

General Approach

• Supervisors should communicate their expectations of VASPs’ compliance with their legal and regulatory obligations and may consider engaging in a consultative process, where appropriate, with relevant stakeholders.
• Supervisors and other competent authorities may consider the guidance and input of VA technical experts in order to develop a deeper understanding of the relevant business models and operations of VASPs, their potential exposure to ML/TF risks, as well as the ML/TF risks
• Provide guidance and feedback to the VASP sector is essential under Recommendation 34.
o The guidance could include best practices that enable VASPs to undertake assessments and develop risk mitigation and compliance management systems to meet their legal and regulatory obligations.
• Supervisors of VASPs should also consider liaising with other relevant domestic regulatory and supervisory authorities to secure a coherent interpretation of VASPs’ legal obligations and to promote a level playing field, including between VASPs and between VASPs and other obliged entities such as FIs and DNFBPs.

Training

• supervisors should ensure that staff are trained to assess the quality of a VASP’s ML/TF risk assessment and to consider the adequacy, proportionality, effectiveness, and efficiency of the VASP’s AML/CFT policies, procedures, and internal controls in light of its risk assessment.
• Training should allow supervisory staff to form sound judgements about the quality of the VASP’s risk assessments and the adequacy and proportionality of a VASP’s AML/CFT controls.
o It should also aim at achieving consistency in the supervisory approach at a national level
• Consider opportunities for public-private sector training and collaboration to further educate and raise awareness among both operational and other competent authorities and industry on various issues relating to VAs and VASP activities

Information Exchange

• Public authorities should share risk information to better help inform the risk assessments of VASPs. The type of information relating to risks in the VA spacethat the public and private sectors could share include:
  • ML/TF risk assessments;
  • Typologies and methodologies of how money launderers or terrorist financiers misuse VASPs, a particular VA mechanism over another (e.g., VA transfer or exchange activities versus VA issuance activities in the context of money laundering or terrorist financing) or VAs more generally;
  • General feedback on the quality and usefulness of STRs and other relevant reports;
  • Information on suspicious indicators associated with VA activities or VASP transactions;
  • Targeted unclassified intelligence subject to the relevant safeguards such as confidentiality agreements; and
  • Countries, persons, or organisations whose assets or transactions should be frozen pursuant to targeted financial sanctions as required by Recommendation 6.
• Domestic co-operation and information exchange between the supervisors of the banking, securities, commodities, and derivatives sectors and the VASP sector; among law enforcement, intelligence, FIU and VASP supervisors; and between the FIU and the supervisor(s) of the VASP sector are also of vital importance for effective monitoring and supervision of VASPs.
• In line with Recommendation 40, cross-border information sharing by authorities and the private sector with their international counterparts is critical in the VASP sector, taking into account the cross-border nature and multi-jurisdictional reach of VASPs.

Application of FATF standards to VASPs and other obliged entities that engage in or provide covered VA activities

• The lack of a dedicated paragraph for each FATF Recommendation within the preventive measures, as does not mean that the respective Recommendations or preventive measures contained therein do not also apply to VASPs and other obliged entities that engage in or provide VA activities
• Recommendation 10
  • required CDD measures that FIs must implement for all customers, including identifying the customer and verifying the customer’s identity using reliable, independent source documents, data or information (authentication); identifying the beneficial owner; understanding and obtaining information on the purpose and intended nature of the business relationship (risk profile); and conducting ongoing due diligence on the relationship and scrutiny of transactions.
  • VA transfers (esp. meeting threshold requirements) are treated as cross-border qualifying wire transfers for the purposes of applying Recommendation16
    • banks, broker-dealers, and other FIs must still adhere to their respective CDD thresholds when engaging in covered VA activities
    • Similar requirements for DNFBPs
  • CDD components to fulfil VASPs obligations under Recommendation 10
    • obtain and verify the customer identification/verification information, including
    • customer’s name and further identifiers such as physical address, date of birth, and a unique national identifier number (e.g., national identity number or passport number).
    • VASPs are also encouraged to collect additional information at onboarding such as an IP address with an associated time stamp; geo-location data; device identifiers; VA wallet addresses; and transaction hashes.
  • prepare a customer risk profile to
    • determine the level and type of ongoing monitoring
    • to support the VASPs’ decision whether to enter into, continue, or terminate the business relationship.
    • Risk profiles can apply at the customer level(e.g., nature and volume of trading activity, origin of virtual funds deposited, etc.) or at the cluster level, where a cluster of customers displays homogenous characteristics (e.g., clients conducting similar types of VA transactions or involving the same VA).
    • VASPs should periodically update customer risk profiles of business relationships in order to apply the appropriate level of CDD/monitoring.
  • “blacklisted wallet addresses,”
    • When a VASP uncovers VA addresses that it has decided not to establish or continue business relations with or transact with due to suspicions of ML/TF, create a list of “blacklisted wallet addresses,” and screen its customer’s and counterparty’s wallet addresses against such list as part of its ongoing monitoring.
  • Simplified CDD
    • Allowed
      • where the ML/TF risk associated with the business relationship of activities is lower.
    • Not Allowed
      • simply on the basis that natural or legal persons carry out the VA activities or services on an occasional or very limited basis (INR. 1.6(b)).
      • whenever there is a suspicion of money laundering or terrorist financing or in specific higher-risk scenarios
  • Ongoing monitoring on a risk basis is an essential component in identifying transactions that are potentially suspicious.
    • Transactions that do not fit the expected behaviour of a customer profile, or that deviate from the usual pattern of transactions, may be potentially suspicious.
  • Adjust the extent and depth of monitoring programs in line with institutional risk assessment and individual customer risk profiles.
    • Enhanced monitoring for higher-risk situations and extend beyond the immediate transaction between the VASP or its customer or counterparty.
    • The adequacy of monitoring systems should be reviewed regularly for continued relevance to their AML/CFT risk program.
    • Defined situations or thresholds used for this purpose should be reviewed on a regular basis to determine their adequacy for the risk levels established.
    • document and state clearly the criteria and parameters used for customer segmentation and for the allocation of a risk level for each of the clusters of customers,
      • The criteria applied to decide the frequency and intensity of the monitoring of different customer (or even VA product) segments should also be transparent.
• Recommendation 12
  • VASPs must take reasonable measures to determine whether a customer or beneficial owner is a domestic or international organisation PEP and then assess the risk of the business relationship.
    • For higher-risk business relationships, take additional measures consistent with those applicable to foreign PEPs, including identifying the source of wealth and source of funds.
• Recommendation 16
  • Obtain, hold, and transmit required originator and beneficiary information associated with VA transfers in order to identify and report suspicious transactions, take freezing actions, and prohibit transactions with designated persons and entities.
  • Submit the required information immediately, simultaneously or concurrent with the transfer itself—particularly given the cross-border nature, global reach, and transaction speed of VA activities.
  • As the FATF is technology-neutral, any technology or software solution is acceptable, so long as it is compliant with the AML/CFT obligations. Examples:
    • A code that is built into the VA transfer’s underlying DLT transaction protocol or that runs on top of the DLT platform (e.g., using a smart contract, multiple-signature, or any other technology);
    • an independent (i.e., non-DLT) messaging platform or application program interface (API);
    • or any other effective means for complying with the Recommendation 16 measures
  • Leverage existing technologies to transmit the required originator and beneficiary in near real-time before a VA transfer is conducted on a DLT platform by using these features:
    • Public and private keys pairs;
    • Transport Layer Security/Secure Sockets Layer (TLS/SSL) connections, which secure almost all transmissions on the Internet;
    • X.509 certificates, which are digital certificates administered by certificate authorities that use the X.509 PKI standard to verify that a public key belongs to the user, computer, or service identity in the certificate and which are used worldwide across public and private sectors;
    • X.509 attribute certificates, which can encode attributes (such as name, date of birth, address, and unique identifier number), are attached cryptographically to the X.509 certificate, and are administered by attribute certificate authorities;
    • API technology, which provides routines, protocols, and tools for building software applications and specifies how software components should interact; as well as
    • Other commercially available technology or potential software or data sharing solutions.
• Recommendation 18
  • The successful implementation and effective operation of a risk-based approach to AML/CFT depends on strong senior management leadership, which includes oversight of the development and implementation of the risk-based approach across the VASPsector.
  • Recommendation 18 also requires information sharing within the group, regarding in particular unusual transactions or activities.
• Recommendation 20
  • VASPs services should have the ability to flag for further analysis any unusual or suspicious movements of funds or transactions or activity that is otherwise indicative of potential involvement in illicit activity regardless of whether the transactions or activities are fiat-to-fiat, virtual-to-virtual, fiat-to-virtual, or virtual-to-fiat in nature.
  • should have appropriate systems to scrutinize such funds or transactions in a timely manner and to determination whether the funds or transactions are suspicious.
  • Promptly report funds or transactions, including those involving or relating to VAs and/or providers that are suspicious to the FIU and in the manner specified by competent authorities.
    •  Put in place procedures to escalate their suspicions and ultimately report to the FIU.
  • The obligation for VASPs to report suspicious transactions is not risk-based, nor does the act of reporting discharge them from their other AML/CFT obligations.
    • Should comply with applicable STR requirements even when operating across different jurisdictions.
  • A VASP (or other obliged entity) that controls both the ordering and the beneficiary side of a VA funds or wire transfer should take into account all of the information from both the ordering and beneficiary sides in order to determine whether the information gives rise to suspicion and, where necessary, file an STR with the appropriate FIU and make relevant transaction information available to the FIU.
• Recommendation 26
  • Convertible VC exchangers which act as nodes where convertible VC activities intersect with the regulated fiat currency financial system are subject to adequate regulation and supervision.
• Recommendation 16
  • applies to cross-border wire transfers and domestic wire transfers.
    • A wire transfer refers to any transaction carried out on behalf of an originator (a) through a financial institution (b) by electronic means with a view to making an amount of funds available to a beneficiary person or
    • at a beneficiary financial institution, irrespective of whether the originator and the beneficiary are the same person.
  • Ensure that convertible VC transfers that are wire transfers, include required originator and beneficiary information
    • take appropriate measures to address transfers that lack the required originator and/or beneficiary information.
• Recommendation 40
  • Provide efficient and effective international cooperation to help other countries combat ML, associated predicate offences and TF—including
    • mutual legal assistance (Recommendation 37);
    • help identifying, freezing, seizing and confiscating proceeds and instrumentalities of crime that may take the form of VC (Recommendation 38); and
    • effective extradition assistance in the context of virtual currency related crimes (Recommendation 39)
    • The FIUs should cooperate and exchange information on the STRs with their counterparts, especially in relation with cross border operations of VC.
    • Many countries do not have legal frameworks that allow them to criminalize certain VC ML/TF activities, which could prevent their providing effective MLA in situations where dual criminality is required.

Application of FATF Standards to Covered Entities (i.e. Convertible VC exchanges and any other type of entities that act as nodes where convertible VC activities intersect with the regulated fiat currency financial system

• Recommendation 1
  • Financial institutions and DNFBP need to identify, assess, and take effective action to mitigate their ML/TF risks (including those associated with VCPPS).
  • on-going efforts to refine technical processes used to reliably identify and verify customers.
  • assess the ML/TF risks posed by VC activities and apply a RBA to ensure that appropriate measures to prevent or mitigate those risks are implemented.
• Recommendation 10 (CDD)
  • Require convertible VC exchangers to undertake customer due diligence
    • When establishing business relations or when carrying out (non-wire threshold based) occasional transactions using reliable, independent source documents, data or information.
    • When carrying out wire transfers covered by Recommendation 16. Usually convertible VC transactions will involve a wire transfer
    • VCPPS must necessarily rely on non-face-to-face identification and verification.
  • Require VCPPS to follow the best practices suggested in the June 2013NPPS Guidance. These include:
    • corroborating identity information received from the customer, such as a national identity number, with information in third party databases or other reliable sources;
    • potentially tracing the customer’s Internet Protocol (IP) address; and
    • searching the Web for corroborating activity information consistent with the customer’s transaction profile, provided that the data collection is in line with national privacy legislation.
  • VCPPS presenting higher risk, as ascertained by the RBA should be required to conduct enhanced CDD in proportion to that risk, by using multiple techniques to take reasonable measures to verify customer identity.
  • Financial institutions and DNFBP should consider risks associated with the source of funding for the convertible VCPPS.
    • Decentralised convertible VCPPS allow anonymous sources of funding, including peer-to-peer (P2P) VC transfers and funding by NPPS that are themselves anonymous, increasing ML/TF risks.
    • As with NPPS, VCPPS business should implement threshold limits to source of funds to a bank account, credit or debit card, or at least applying such limitations to initial loading, or for a set period until a transaction pattern can be established.
  • Transaction monitoring is a key risk mitigant in the convertible VC space because of the difficulty of non-face-to-face identity verification.
    • The public nature of transaction information available on the blockchain theoretically facilitates transaction monitoring
      • But see June 2014 VC Report (Appendix A)—the lack of real world identity associated with many decentralised VC transactions limits the blockchain’s usefulness for monitoring transactions and identifying suspicious activity, presenting serious challenges to effective AML/CFT compliance and supervision.
    • Use transaction monitoring commensurate with the risk
    • Available technology allows multi-signature (multi-sig) technology enabling VCPPS to effectively build in loading total wallet value, and value/velocity transaction limits into decentralised VCPPS.
    • Current decentralised VC technology does not make it possible to effectively build in geographic limits; limit use to the purchase of certain goods and services; or prevent person-to-person transfers.
• Recommendation 11, Recommendation 20 and Recommendation 22 (Recordkeeping and Suspicious activity reporting)
  • Financial institutions and DNFBP should be required to maintain transaction records that include:
    • information to identify the parties;
    • the public keys, addresses or accounts involved;
    • the nature and date of the transaction, and the amount transferred.
  • The public information available on the blockchain provides a beginning foundation for record keeping, provided institutions can adequately identify their customers.
• Recommendation 15 and Recommendation 22
  • Financial institutions and DNFBP to identify and assess ML/TF risks relating to the development of new products and new business practices, including new delivery mechanisms, and the use of new or developing technologies for both new and pre-existing products.
  • take appropriate measures to manage and mitigate risk before launching new products or business practices or using new or developing technologies.

Potential Solutions to Compliance Challenges

• Financial institutions and DNFBP should be required to comply with customer identification and verification and transaction monitoring requirements for decentralised convertible VCPPS by developing technology-based solutions.
  • For example, develop new VC technologies, such as application programming interfaces (APIs) that provide customer identification information, or allow financial institutions or DNFBP to limit transaction size and velocity or establish other conditions to reduce the ML/TF risks associated with a particular VCPPS.
  • Collected information online to augment the customer profile to help in detecting suspicious activity and transactions.
• Third-party digital identity systems may also be developed to facilitate AML/CFT compliance.
  • Third-party digital identity custodians and/or other entities’ creating, authenticating, and maintaining digital identity solutions for specific CDD, monitoring, and reporting purposes
    • Third party digital identity custodians would themselves need to be regulated to ensure identification/verification integrity.
  • Explore developing business models to facilitate customer identification/verification, transaction monitoring, and compliance with other relevant AML/CFT requirements.
  • For example, create an industry association(s) composed of vetted VC institutions and develop policies and practices for members that allow them to identify specific transactions as coming from a member that has applied appropriate CDD and is conducting appropriate transaction monitoring