November 11, 2021
On Tuesday, the chairs of FATF's virtual assets' team joined TRM Talks. Here are some key takeaways:
- When it comes to DeFi, you need to use the functional owner/operator test. FATF is less concerned over the use of the term decentralized to describe your business, but rather is focused on whether or not a project is actually decentralized.
- Just because something is automated does not mean it is decentralized.
- NFTs are not virtual assets if they are tickets or momentos of an event without a secondary market, but if they transfer value, and/or live and move on a trading platform, they could be virtual assets.
- VASPs and their regulators may allow for a staged approach when it comes to travel rule implementation, but that staged approach must result in earlier implementation than otherwise would have been the case.
- Stablecoin issuers and governance bodies could be VASPs and need to build risk based compliance in order to mitigate risks that may come with mass adoption.
- Next up for FATF? Working with regulators around the globe on implementation of the standards.
On October 28, 2021, the Financial Action Task Force (FATF) released its Updated Guidance For A Risk Based Approach For Virtual Assets and Virtual Asset Providers (guidance or final guidance). The guidance hit on some of the hottest topics in crypto including DeFi, NFTs, unhosted wallets, stablecoins and the travel rule. Check out TRM's full coverage of FATF's guidance here.
On Tuesday, the chairs of FATF's Virtual Assets Contact Group (VACG), Habuchi Takahide of Japan's Financial Services Agency and Jon Fishman of the U.S. Treasury, joined TRM Talks to discuss the guidance. Watch the recording here. The discussion, much of which was spurred by questions from the audience, provided clarification on key issues. Here are some takeaways:
DeFi projects could be VASPs if they meet a functional owner/operator test. But what does this mean in practice?
One major question addressed in the guidance is whether or not certain decentralized finance (DeFi) projects are virtual asset service providers (VASPs) which would require that they institute a risk based compliance program to include policies and procedure, transaction monitoring, and various reporting requirements. The guidance sets forth an "owner/operator" test to determine whether or not certain DeFi projects are VASPs. The test which holds that "creators, owners and operators . . . who maintain control or influence," may be a VASP even if the project may call itself, or identify as, decentralized. FATF, under the new "owner/operator" test, asserts that indicia of control includes exerting control over the project or maintaining an ongoing relationship with users.
When asked about the intent of the test on TRM Talks, Treasury's Jon Fishman explained FATF is attempting to cover financial services - just like in fiat - regardless of how the project characterizes itself.
"Our impression from looking at the industry was there are quite a lot of people using terms like DeFi or DAO or DAP for maybe more of a marketing reason than for technical accuracy. That is to say, maybe they're decentralized in some way or to some degree. But there is someone providing that financial service. It is not truly decentralized in the sense that there is no one driving it."
Mr. Fishman continued, "So what we were trying to do was to say if there is any party that would qualify as a service provider, then there should be regulation on that party the same as there would be for any other virtual asset service provider, regardless of the use of somewhat ambiguous and in some cases not wholly accurate marketing term by default."
Stablecoin issuers and governance bodies may be VASPs.
The guidance explains that stablecoins — backed in full or in part by a stable asset — share many of the same ML/TF risks and become more and more vulnerable with the growing marketplace for these assets. FATF explains that if a "central developer or governance body" establishes the rules of governing and carries out basic management functions, such an arrangement will likely fall under FATF's definition of a VASP. Even without a governing body, if a stablecoin project has a party "to drive the development and launch of" the stablecoin, then that party could also be carrying out VASP functions. Finally, "if one or more parties have decision-making authority over the structure of a so-called stablecoin arrangement, they are likely to be VASPs." FATF VACG co-chair Habuchi Takahide of Japan's Financial Services Agency (JFSA) explained the reasoning on TRM Talks, "The governance body of the stablecoin plays an important role in mitigating the money laundering and terrorism financing risks." Mr. Fishman clarified that FATF simply intends for stablecoins to be treated like any virtual asset, "What we thought about the risk is that it is maybe more likely for stablecoins to be mass adopted for certain kinds of activity," and therefore FATF wants to ensure that with mass adoption comes AML as foundational infrastructure for stablecoins.
What if a DeFi project has an owner/operator and then the project becomes further decentralized over time?
There were a number of questions during the Talk around a DeFi project that begins with an owner/operator but ultimately evolves into something more fully decentralized. Mr. Fishman explained that "security and risk mitigation needs to be built into these projects from the ground up." While he clarified that, "If all you do is software development, you are not a VASP. The guidance is clear," Mr. Fishman continued, but, "[I]f you are designing a product to bring to market, you should build illicit finance risk control into it from day one. It's much harder to do it later." One takeaway is that the owner/operator test should be conducted on a case-by-case basis.
"Someone is obviously designing it and developing it and getting it ready to bring to market. And someone has an intent about what it should eventually be. There's not only developers involved, but also entrepreneurs. I would wonder when you say it's going to be decentralized. Sounds to me like there's a pretty good chance that someone will meet the owner operator test going forward."
Mr. Fishman also makes an important distinction between a project being truly decentralized and a project being simply automated explaining that decentralized does not always actually mean decentralized, "In many cases, it doesn't seem that they actually mean decentralized. They just mean automated. If I go to an ATM, it's still a bank, even though a machine is the one that has given me money. So if you take a system that you control and continue to control, but you automate its processes, that is not decentralized. It's just automated. I think that's really important because I think a lot of people think I launched the DeFi now because the software runs on its own. That doesn't mean that it's decentralized if you still meet those controls."
Some kinds of collectible NFTs are virtual assets (VAs) and some are not.
The guidance clarifies that NFT collectibles are not generally considered to be VAs, but then goes on to explain that some NFTs may be VAs "if they are to be used for payment or investment purposes in practice." While the guidance does provide some clarity, questions remain as many NFTs, in the current use case, are tradable and have a secondary market — think NBA Top Shot — which are likened to baseball cards or physical works of art. When collectors invest in NFTs, in many cases, they are doing so with the hope that they appreciate in value and can be traded or sold. So when is an NFT a VA?
On TRM Talks, Mr. Fishman answered this question with an example explaining that there could be instances where and NFT would be issued as a ticket or momento of an event that would just be for the recipient without a secondary market or the ability to transfer value. That would not be a virtual asset. But Mr. Fishman continued:
"On the other hand, suppose I create 100,000 NFTs. They are the same as each other, or they differ only slightly in the same way that a dollar bill has a serial number. So they create 100,000 of them, and I release them in the market. And I set up a trading platform for people to exchange them for goods and services, even though those are NFTs. Clearly, that is functioning as a payment instrument, and it should be covered in that way."
When asked about potential illicit finance risk of NFTs, Mr. Fishman explained that FATF does not see unique risks, "[b]ut any asset that has value can be misused by criminals."
What does the guidance mean when it talks about a staged approach to Travel Rule implementation?
Section 200 of the guidance suggests that regulators could allows VASPs to take a "staged approach" to requiring implementation of the travel rule - which requires VASPs to ensure certain data is shared between counterparties - acknowledging that VASPs may need more time to become wholly compliant. When asked about this provision FATF VACG co-chair Habuchi Takahide of Japan's Financial Services Agency (JFSA) clarified, "The travel rule implementation is one of the top priorities of FATF's virtual asset work," he continued, "The phased approach is acceptable only to to the extent that it leads to achieving full implementation earlier," than would otherwise have been possible.
What is next for FATF's VACG now that the updated guidance is completed?
Over the course of the last year FATF's VACG has been drafting the updated guidance, engaging with the private sector during a 6-month consultation period and finalizing the guidance. So what's next now that the guidance is completed? According to Mr. Habuchi, the VACG will focus on (1) working to ensure implementation of the standards globally; (2) continuing to monitor the virtual asset market paying close attention to emerging risks; and, (3) continuing to encourage public private partnerships.
Need support on an investigation?
Fill out the form to speak with our team about investigative professional services.