July 6, 2021
The Financial Action Task Force (FATF), comprised of 39 member states, is the United Nations of anti-money laundering. Established in 1989 to address money laundering by cartels at the height of the drug war, FATF again adapted to a growing threat in 2001 when it added countering the financing of terrorism (CTF) to its anti-money laundering (AML) mandate. Over the last few years, FATF's issued guidance has had tremendous sway over regulators across the globe. FATF has published extensive guidance on illicit finance risks and best AML practices for virtual assets since as early as 2014.
Yesterday, FATF published its "Second 12-Month Review of the Revised FATF Standard on Virtual Assets and Virtual Asset Providers ("the report"). While the report is a follow up to June 2019 guidance, it encompasses much more. The report, which enlisted the help of TRM Labs and other blockchain analytics providers in order to better understand the data behind illicit finance risks, is a 43-page "where are they now" referendum on regulators, nation states, and VASPs in implementing FATF's previous recommendations. Bottom line: FATF says it's time to implement.
FATF's continued concern over jurisdictional arbitrage
While FATF makes clear that there has been progress in passing legislation and building coherent crypto regulatory frameworks in some jurisdictions, "the lack of regulation or the lack of enforcement of regulation in jurisdictions is allowing for jurisdictional arbitrage and the raising of ML/TF risks." The lack of clear global standards, according to FATF, is a systemic AML/CTF risk for crypto.
"An overview of the results suggests that significant progress has been made, but global implementation still has very large gaps that need to be addressed. 58 jurisdictions, (28 FATF members and 30 FSRB members) reported that they had the necessary legislation to implement [FATF standards], with 35 of these jurisdictions (18 FATF members and 17 FSRB members) reporting that their regime was operational. A minority of jurisdictions have conducted examinations and still fewer have imposed any enforcement actions. These gaps are particularly relevant, since weak or non-existent AML/CFT controls in VASPs remain a key source of risk.
The power and promise of crypto is in many ways tied to its borderless nature. This, according to FATF, makes having global AML standards and consistent enforcement priority number one.
If you are tracking FATF developments on virtual assets, then you are already tracking the "Travel Rule," a key AML/CFT measure which mandates that Virtual Asset Service Providers (VASP) obtain, hold and exchange information about the originators and beneficiaries of crypto transfers. In other words, a VASP needs to know where the crypto came onto its service from and where it is headed. Travel rule implementation has, according to the report, become a litmus test for VASPs. FATF points to what it sees as insufficient implementation of the travel rule or the development of so-called travel rule solutions as disincentivizing "the private sector, particularly VASPs, to invest in the necessary technology solutions and compliance infrastructure to comply with the travel rule."
"Overall, there has been further progress [on the travel rule] in the last year. Nonetheless, two years after the FATF revised its Standards, most jurisdictions and most VASPs are not complying with the travel rule. This is a major obstacle to effective global AML/CFT mitigation and is undermining the effectiveness and impact of the revised FATF Standards."
In terms of VASPs’ implementation of other AML/CFT obligations, FATF acknowledges the 'pre-first inning' nature of crypto compliance. The report states, "In many jurisdictions, the VASP sector is new, without a history of regulatory oversight and lack of familiarity with the fundamentals of AML/CFT. This challenge is further complicated by the continued trend of rapid technological progress in the VASP sector, where there is a constant evolution in technology, services, business practices and firms entering and exiting the market."
The report specifically calls out "commonly observed issues in VASPs' compliance" including:
- the quality of CDD, including enhanced CDD and beneficial ownership requirements and electronic verification;
- ineffective AML/CFT programs and internal controls and issues inoutsourcing AML/CFT duties;
- issues in STRs, other transaction reporting and transactionmonitoring;
- issues regarding data protection and record-keeping;
- issues relating to governance and internal oversight and auditexpertise;
- and the lack of sufficient staff and expertise for compliance and the quality of staff training (or the lack thereof).
FATF is regulating for a digital battlefield
Nations around the world — and the U.S. in particular — are grappling with what many are calling the first major national security moment since 9/11, following recent proliferation of ransomware-as-a-service providers and cyberattacks. FATF calls out the "increase in the use of virtual assets to collect ransomware payments and to commit and launder the proceeds of fraud." The report also predicts "the pace, sophistication, and costs of ransomware attacks is likely to grow in 2021."
The report focuses on the threat of the increasing "pace and sophistication of ransomware attacks . . . victimizing, notably, governments, schools, hospitals, and other critical infrastructure providers all over the world. The proceeds of such ransomware attacks are often moved via unhosted or privacy wallets and/or other anonymity-enhancing tools and methods to VASPs, where they are exchanged for other virtual assets or fiat currency and can be used by illicit actors to pay for their criminal enterprises. Separately, sophisticated illicit activity by state actors using virtual assets for sanctions evasion has also been observed."
While FATF acknowledges that fiat currencies are still the preferred method of money laundering and illicit finance, the report suggests that "ransomware payments, darknet markets, frauds and investment scams and hacks," are facilitated in large part by the use of cryptocurrencies. In addition, FATF identifies evolving obfuscation techniques such as privacy coins, mixers, tumblers, "privacy wallets, chain-hopping, dusting (which allows the transfer of tiny amounts of virtual assets to random wallets) and the use of decentralised applications, decentralised exchanges and atomic swapping exchanges." This is FATF again addressing illicit finance risks and on-chain obfuscation techniques in real time and in a marketplace in "rapid flux," as law enforcement and regulators take on darknet mixing services and anonymity enhanced cryptocurrencies. The focus on the unique threats and obfuscation techniques utilized by illicit actors in the cryptoverse is a realization by FATF that the battlefield has shifted to the digital world and crypto comes with unique promise and unique risks for this new era of national security.
FATF enlists blockchain analytics to understand Peer-to-Peer (P2P) transaction patterns
In its report a year ago, FATF identified self-hosted wallets, or what it refers to as P2P transactions, as a specific and inherent AML/CFT risk given the lack of a regulated intermediary in the transaction. In this report, FATF sought to (1) to understand the extent to which virtual asset transfers occur with a VASP or without (i.e. P2P transactions), (2) whether this has changed since the FATF revised its standards in June 2019, and (3) the ML/TF risk associated with P2P transactions. In order to accomplish this goal, that is, "to develop a picture on the scale of transactions taking place without a regulated entity responsible for AML/CFT obligations," FATF asked a consortium of blockchain analytics companies, including TRM Labs, to develop a set of market metrics on Bitcoin transactions occurring P2P as opposed to through a VASP. The report finds that "[d]espite the variation between the companies, the data from all companies is consistent in one sense. The data does not show a clear and consistent shift towards P2P transactions or away from transactions with VASPs. Particularly with the number of transactions, the proportion transacted with and without a VASP has remained largely stable between 2016-2020."
So where does this leave us? TRM's analysis points to all roads still leading to VASPs. While, we may see an increase over time in self-hosted transactions, regulated VASPs are still a necessary off-ramp to the fiat economy. As long as self-hosted wallets continue to transact with VASPs, regulators are able to get the information they need from regulated entities.
What does FATF say about crypto's explosive growth?
FATF rejects the well worn crypto industry argument that regulatory guidance and implementation stifles innovation. The report points to the "increasing adoption of virtual assets in the mainstream of the traditional financial sector," and crypto's rapid growth as evidence of the need for clear regulatory guidance and robust enforcement.
FATF does not see any evidence that the revisions to its Standards in 2019 have stifled innovation in the sector. Indeed, since the revisions, the sector has seen continued and rapid growth. Virtual assets grew in popularity over the last year, and, in January 2021 alone, virtual asset users increased by almost 16 percent. For example, in June 2015, four years before the FATF revised [its standards], there were approximately 265 000 active daily bitcoin addresses. This number had nearly doubled to approximately 572 400 in June 2019, when the FATF revised [its standards] and released its Guidance on virtual assets and VASPs. The number has again doubled since the FATF changed its Standards. As of April 2021, there were over a million daily active bitcoin addresses. While the FATF cannot examine the counterfactual, these numbers make it difficult to argue that the revisions to the Standards have hindered the growth of this market.
Conclusion: It's time to implement!
Over the last seven years FATF has weighed in on crypto's hottest topics — DeFi, NFTs, self-hosted wallets — and has provided some of the most important definitions in the cryptoverse *(see appendix). While FATF does not necessarily cover new ground in is latest report, it makes on thing abundantly clear: it's time to implement. The standards, according the report, are solid — it's the implementation that is the problem. In their words, "While there are many areas where both jurisdictions and the private sector seek further clarity, these are questions regarding the application of the Standards rather than the Standards themselves." The report concludes that VASPs and their regulators around the globe "need to implement the revised FATF Standards, including travel rule requirements, as quickly as possible," and public private partnerships should be formed in order to facilitate implementation.
*Key terms as defined by FATF:
A virtual asset is a digital representation of value that can be digitally traded, ortransferred, and can be used for payment or investment purposes. Virtual assets donot include digital representations of fiat currencies, securities and other financialassets that are already covered elsewhere in the FATF Recommendations.
Virtual asset service provider means any natural or legal person who is not coveredelsewhere under the Recommendations, and as a business conducts one or more ofthe following activities or operations for or on behalf of another natural or legalperson:
- exchange between virtual assets and fiat currencies;
- exchange between one or more forms of virtual assets;
- transfer22 of virtual assets;
- safekeeping and/or administration of virtual assets or instruments enabling
- control over virtual assets; and
- participation in and provision of financial services related to an issuer’s offerand/or sale of a virtual asset.