FATF Provides Final Guidance

TRM InsightsInsights
FATF Provides Final Guidance

Today FATF released a final version of its Updated Guidance for a Risk Based Approach for Virtual Assets and Virtual Asset Providers with some significant changes from the earlier March 2021 draft guidance.

What you need to know:

  • The guidance clarifies and applies key definitions of Virtual Asset (VA) and Virtual Asset Provider (VASP) and encourages broad interpretation.
  • Non-fungible token (NFT) collectibles are generally not considered virtual assets, but if they are used for payment, investment purposes, or to transfer value they may constitute VAs. Doesn't that mean a lot of art and collectible NFTs could be VAs?
  • The guidance sets forth an "owner/operator" test to determine whether or not certain decentralized finance projects are VASPs. Take the test below.
  • Stablecoin issuers could be VASPs if there is a "central developer or governance body" that carries out basic management functions.
  • The guidance treats Peer-to-Peer (P2P) transactions as riskier and provides tips to crypto businesses and regulators to help mitigate those risks.

TRM is hosting a webinar with the co-chairs of FATF's Virtual Assets Contact Group on November 9 to discuss the guidance. Register here.

Today the global Financial Action Task Force (FATF), sometimes thought of as the 'United Nations for anti-money laundering,' issued final guidance following the release of a draft in March this year of a "Risk-Based Approach to Virtual Assets and Virtual Asset Providers." The draft guidance covered many of crypto's most pressing topics, from non-fungible tokens (NFTs) to self hosted wallets and decentralized finance (DeFi) — TRM covered it here. The draft guidance came with a period of public consultation during which FATF received comments from across the cryptoverse. After 6-months of public and private sector consultation, today FATF released its Updated Guidance For A Risk Based Approach For Virtual Assets and Virtual Asset Providers (guidance or final guidance). Following the consultation period FATF made some pretty significant changes to the March draft guidance on issues such as NFTs, DeFi and self-hosted wallets. Here's what you need to know:

FATF clarifies and applies key definitions of Virtual Asset (VA) and Virtual Asset Provider (VASP) and encourages broad interpretation.

While the standards themselves may not have changed, the application of those standards on emerging technologies could make a world of difference, says FATF, citing "the rise of anonymity-enhanced cryptocurrencies (AECs), mixers and tumblers, decentralized platforms and exchanges, privacy wallets" that are used by illicit actors to obfuscate transactions and evade law enforcement and blockchain analytics.

In order to take on these emerging and evolving illicit finance risks, FATF has, over the years, provided, clarified and applied two critical definitions - Virtual Asset (VA) and Virtual Asset Service Provider (VASP) that they believe should be interpreted broadly to meet the needs of regulators reacting in real time to changes in technology:

1. Virtual Asset (VA)

A VA is any item that is "digital" and “digitally traded or transferred and can be capable of being used for payment or investment purposes.” While FATF intentionally created a broad definition in order to capture a wide range of activities, the "capable of" standard could result in almost anything being used for payment. We are likely to see ongoing discussion into the potential wide range of activities covered by this definition. FATF does make clear that VAs are not digital representations of fiat currencies such a central bank digital currencies (CBDCs).

2. Virtual Asset Service Provider (VASP)

FATF's definition of Virtual Asset Service Provider (VASP) is, arguably, the most important definition for operators in this space — whether or not your crypto business is expected to implement a risk-based compliance program can hinge on this definition. And, again, FATF wants to make sure you are interpreting broadly. According to FATF, a VASP is:

Any natural or legal person that conducts one or more of the following activities or operations for or on behalf of another natural or legal person:

  • Exchange between virtual assets and fiat currencies;
  • Exchange between one or more forms of virtual assets;
  • Transfer of virtual assets;
  • Safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and
  • Participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.

FATF asks that countries take a "functional approach," by asking if the person or entity "conducts" VASP activities "as a business." The phrase “as a business” encompasses only those that carry out VASP activities for a "commercial reasons, and must do so on at least a sufficiently regular basis, rather than infrequently."

Non-fungible token (NFT) collectibles are generally not considered virtual assets, but if they are used for payment, investment purposes, or to transfer value they may constitute VAs.

The March draft guidance was the first time FATF addressed the growing market for NFTs. While FATF stated that closed loop items such as airline miles that don't have a secondary market are not VAs, the March draft guidance went on to state broadly that some NFTs may be VAs if they "enable the transfer or exchange of value."

The final guidance however addresses the NFT market as it is primarily today — art and collectibles.

The guidance clarifies that NFT collectibles are not generally considered to be VAs, but then goes on to explain that some NFTs may be VAs "if they are to be used for payment or investment purposes in practice." While the guidance does provide some clarity, questions remain as most NFTs are tradable and have a secondary market — think NBA Top Shot — which are likened to baseball cards or physical works of art. When collectors invest in NFTs in many cases they are doing so with the hope that they appreciate in value and can be traded or sold. Based on this guidance, they may need to consider if that qualifies those NFTs as VAs.

FATF develops an "owner/operator" test to determine whether or not certain decentralized finance projects are VASPs.

In the March draft guidance, FATF addressed the questions swirling around decentralized finance (DeFi) for the first time. The draft guidance asserted that, while a decentralized application (i.e. the software program itself) is not a VASP, entities "involved" with the application may be. In determining whether or not an individual or entity is involved, the March draft guidance stated that a DeFi project may be a VASP "when they engage as a business in facilitating or conducting the activities." The use of this broad terminology facilitated capturing entities involved in DeFi but are not otherwise engaged in the transfer of value — the activity which FATF is determined to regulate.

The final guidance does away with the term "facilitate" and instead asserts a more functional "owner/operator" test which holds that "creators, owners and operators . . . who maintain control or influence," may be a VASP even if the project may seem decentralized. FATF, under the new "owner/operator" test, asserts that indicia of control include exerting control over the project or maintaining an ongoing relationship with users. Let's take the test:

Is your DeFi project covered? Take the “owner/operator” test:

Does an individual or entity exhibit control over assets or over the service’s protocol itself?

Does an individual or entity have “a business relationship between yourself and customers, even if this is exercised through a smart contract.”

Does an individual or entity profit from the service being offered to customers?

Is there other indicia of an owner/operator?

FATF makes clear that a country should interpret the test broadly and if it determines that the owner/operator test applies, "owners/operators should undertake ML/TF risk assessments prior to the launch or use of the software or platform and take appropriate measures to manage and mitigate these risks in an ongoing and forward-looking manner."

The word "involved" is not however completely gone from the DeFi section of the final guidance. FATF goes one step further asserting that even if there is no "owner/operator" countries may require that a regulated VASP be "involved" in activities related to the DeFi project.

One other interesting takeaway: FATF does seem to be saying that if a DeFi project is, in fact, completely decentralized — entirely automated and outside the control of an owner/operator — then it is likely not a VASP.

FATF says that stablecoin issuers could be VASPs if there is a "central developer or governance body" that carries out basic management functions.

According to FATF, stablecoins — backed in full or in part by a stable asset — share many of the same ML/TF risks and become more and more vulnerable with the growing marketplace for these assets.

FATF explains that if a "central developer or governance body" establish the rules of governing and carry out basic management functions, such an arrangement will likely fall under FATF's definition of a VASP.

Even without a governing body, if a stablecoin project has a party "to drive the development and launch of" the stablecoin, then that party could also be carrying out VASP functions. Finally, "if one or more parties have decision-making authority over the structure of a so-called stablecoin arrangement, they are likely to be VASPs."

FATF says that Peer-to-Peer (P2P) transactions could pose money laundering risks and provides tips to crypto businesses and regulators to help mitigate those risks.

FATF remains concerned about individuals transferring funds without the assistance of intermediaries and continues to view unhosted or self-hosted wallets as having greater ML/TF risks.

The final guidance has toned down language on unhosted wallets compared to the March draft guidance, which suggested denying licensing of VASPs if they allow transactions to and from unhosted wallets. Instead, the final guidance suggests that VASPs mitigate risk from P2P transactions by taking measures such as:

  • conducting outreach to the private sector;
  • training of supervisory, financial intelligence unit (FIU) and law enforcementpersonnel; and
  • using blockchain analytics to collect and assess P2P transactions and understand risk methodologies to identify suspicious behavior.

While FATF steers clear this time from advising that VASPs de-risk P2P transactions completely, the guidance states that countries may implement measures that provide visibility on P2P transactions and do enhanced due diligence of VASPs with self-hosted wallet activity to meet a risk-based approach.

FATF again says that it's time to implement the Travel Rule.

In July, FATF published its "Second 12-Month Review of the Revised FATF Standard on Virtual Assets and Virtual Asset Providers ("the report"). TRM covered it here, noting that implementation was heavily emphasized. FATF wrote, "[T]wo years after the FATF revised its Standards, most jurisdictions and most VASPs are not complying with the travel rule. This is a major obstacle to effective global AML/CFT mitigation and is undermining the effectiveness and impact of the revised FATF Standards."

The final guidance goes further, focusing on broadening and expanding travel rule requirements (for example, by adding correspondent banking-like standards for VASPs servicing other VASPs). The guidance expects VASPs to ensure that certain customer data is disclosed and transferred between counterparties as part of a cryptocurrency transaction — with more specificity about what is expected. Specifically, the guidance makes clear that:

  • VASPs that have not implemented the “Travel Rule” should be considered higher-risk.
  • A VASP needs to undertake counterparty VASP due diligence before they transmit the required information.
  • Originators and beneficiary VASPs should screen transactions to ensure that the counterparty does not have sanctions exposure.
  • In the case of unhosted wallets — where there is not an originator or beneficiary institution — a VASP must still collect the required information with respect to their customer.
  • VASPs are expected to engage in robust counterparty due diligence that may include "blockchain analytics services."


There is a lot more included in FATFs guidance — the need for a risk-based approach, proliferation financing risks, the use of and training for blockchain analytics tools, the licensing and monitoring of VASPs, and an emphasis on the need for cross-border information sharing by governments and private sector entities alike, to name a few. And, in the coming days, weeks, and months, we will see regulators around the world grapple with how to implement FATFs guidance while legislators attempt to draft comprehensive legal frameworks for crypto. But one thing is clear: As crypto evolves at unprecedented speed and scale, from NBA Top Shot and CryptoPunks to the latest in DeFi and self-hosted wallets, FATF intends to keep pace. And, it wants to make sure you interpret "broadly."

This is some text inside of a div block.
Subscribe and stay up to date with our insights

Access our coverage of TRON, Solana and 23 other blockchains

Fill out the form to speak with our team about investigative professional services.

Services of interest
Transaction Monitoring/Wallet Screening
Training Services
Training Services
By clicking the button below, you agree to the TRM Labs Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.