Anti-Money Laundering
Consulting Services & Strategies

0 Items - Total: $0.00 CAD

FATF, VASP – What Does It All Mean?

On June 21, 2019 the Financial Action Task Force (FATF) released “Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers”. In the ensuing days, while we read through and considered the implications of this dense 57 page document, we watched social media go overboard with all sorts of wild speculation and inaccurate representations. When that happens, and it’s within our power to get good information out there, we do our best to get solid information out fast to fight the fear, uncertainty and doubt (affectionately referred to as FUD online). Let’s take a closer look at the latest FATF guidance, and what it means for businesses that deal in crypto/digital/virtual currencies like bitcoin, and other virtual assets.

What is the FATF Anyway?

If you’re an AML geek, you can probably skip this section. For the other 99.99% of the world, the Financial Action Task Force (FATF for short) is an inter-governmental body formed in 1989 by its member jurisdictions. If you live in the developed world, odds are good that your country is a FATF member. The role of this organization is to issue guidance to countries on anti-money laundering (AML) and combatting terrorist financing. Countries that are members of the FATF are also evaluated in terms of how well they’re doing at following the FATF’s recommendations (these are called mutual evaluations). Generally speaking, member countries face a good deal of pressure to achieve positive results in mutual evaluations. Countries that are deemed to be non-compliant, or to have strategic deficiencies, are publicly listed and can face significant trade barriers.

To sum it up, the FATF is an international group made up of member countries that issues guidance to countries. That guidance is not law, but it certainly shapes the laws that are written by member countries. It may seem pedantic, but if you hear/read someone saying that the FATF has issued a law or a regulation, it’s likely that the speaker/writer doesn’t really understand how the FATF works – and this is the first piece of FUD that we’re going to dispel today: the FATF does not write laws or regulations.

Once the FATF has issued guidance, its member countries adapt their existing laws and regulations, and in some instances, impose new ones. Generally speaking, the more common approach is to adapt existing laws and regulations.  Regardless of the approach taken, a statement released with the guidance stating that the FATF will monitor implementation of the new requirements by countries and service providers and conduct a 12-month review in June 2020. The guidance is also expected to be the subject of further discussion at other international forums, including the G20.

Virtual Assets and Virtual Asset Service Providers

The FATF’s Guidance introduces new terms (and corresponding acronyms): virtual assets (VAs) and virtual asset service providers (VASPs). These are defined in the glossary at the end of the document, but it’s useful to start off by understanding what the terms mean.

A virtual asset is a digital representation of value that can be digitally traded, or transferred, and can be used for payment or investment purposes. Virtual assets do not include digital representations of fiat currencies, securities and other financial assets that are already covered elsewhere in the FATF Recommendations.

The broader text makes it clear that VAs are being broadly defined, and may include cryptocurrencies like bitcoin as well as other types of assets, like initial coin offering (ICO) tokens, which may also be considered securities.

There are also clear statements about the intent of the guidance, and that it is not an attempt to regulate technology. This is another important distinction, in particular where there is a discussion of regulation applicable to Bitcoin (with the capital B indicating that this is a reference to the Bitcoin protocol). That is simply not the case. In fact, the guidance notes that the intent is to remain technology agnostic, and that no specific technological adaptations to protocols are being proposed (we’ll dive a bit more deeply into this in the section that covers customer information).

What the guidance is, however, suggesting should be regulated are certain business activities that involve virtual assets.

Virtual asset service provider means any natural or legal person who is not covered elsewhere under the Recommendations, and as a business conducts one or more of the following activities or operations for or on behalf of another natural or legal person:

i) exchange between virtual assets and fiat currencies;

ii) exchange between one or more forms of virtual assets;

iii) transfer of virtual assets;

iv) safekeeping and/or administration of virtual assets or instruments enabling control over virtual assets; and

v) participation in and provision of financial services related to an issuer’s offer and/or sale of a virtual asset.

The first, and probably most important, piece of FUD to fight here is the idea that peer-to-peer activity that is not being conducted for business purposes should be covered. This simply is not the FATF’s recommendation. This doesn’t preclude a country from writing laws or regulation that impose requirements on non-business peer-to-peer activity, but it does make that less likely in our estimation.

If you’ve looked at previous FATF guidance, you’ll notice that the scope is a bit different. Earlier guidance was focussed on what were termed “on and off ramps”, meaning transactions that involved trading fiat currency for a VA, or vice versa. The current scope includes trading between different VAs. To understand this change, consider that when the earlier guidance was issued there were no popular “stablecoin” VAs pegged to the value of an underlying asset (often a fiat currency) and ICOs had yet to raise millions in value in VA alone.

What Will It Mean for Businesses to be Regulated?

Businesses (including individuals that are conducting VASP activities on behalf of customers that have not incorporated a separate legal entity such as a company or partnership) may be subject to laws and regulations in more than one jurisdiction, and the specific requirements for each jurisdiction may be different (though most will follow the FATF’s guidance in broad strokes). For VASPs, it is important to understand the requirements that apply in each jurisdiction in which they operate (it is not enough to say that your business is following the FATF’s guidance).

The FATF recommends in its guidance that countries enact laws and regulations that apply to VASPs. This should include (not a comprehensive list):

  • The licensing and/or registration of VASPs;
  • A prohibition against criminals and their associates being beneficial owners of VASPs;
  • A requirement for VASPs to have qualified Compliance Officers, written policies and procedures, documented risk assessments, ongoing training, and measures of the effectiveness of the compliance program (audits);
  • Know your client (KYC) information and identification should be collected by VASPs for customers and business relationships (with a de minimis exception for occasional transactions valued at less than 1,000 EUR/USD);
  • Where transactions occur between two VASPs or between a VASP and another regulated entity type (such as banks), sender and receiver information must be transmitted. This has received a lot of attention, and it is not yet clear how this will be accomplished. The options noted in the guidance include:
    • Public and private keys,
    • Transport Layer Security/Secure Sockets Layer (TLS/SSL),
    • 590 Certificates,
    • 509 Attribute Certificates,
    • API Technology, and
    • Other Commercially Available Technology.
  • VASPs’ customers and business relationships should be subject to ongoing monitoring; and
  • Mechanisms in place to freeze assets and stop transfers in the case of listed persons and entities (such as known terrorists or sanctioned persons/entities).

The guidance also states that there should be true regulatory oversight, not self-regulatory organizations. There are additional considerations for other entity types that are already regulated (including securities dealers and banks) that engage in VASP activities.

Thinking about Risk

Some of the most interesting content in the guidance is related to the money laundering and terrorist financing risk posed by VAs and VASPs. Here, it was clear that the FATF had done their homework as the discussion included TOR, tumblers, mixers, and other technologies referred to as being “anonymity enhanced”. The factors that are listed as increasing a VAs/VASPs risk include:

  • Value moving into and out of fiat currency,
  • The use of anonymity-enhanced technologies,
  • Operations that are entirely online (non-face-to-face),
  • Links to high risk jurisdictions, and
  • The value that can be accessed/transferred.

The guidance does note that not all VAs/VASPs should be considered to be high risk.

A Quick Note on Financial Inclusion & De-Risking

The FATF’s page on financial inclusion defines the term as: Ensuring that financially excluded or underserved groups (such as low income, rural sector or undocumented groups) have access to regulated financial services helps to strengthen the implementation of AML/CTF measures.

If you’ve been watching or participating in VAs or VASPs, you’ll understand that many of these have financial inclusion related goals themselves, but VASPs often struggle with access to banking. In their guidance, the FATF makes a strong statement against banks and financial service providers de-risking all VASPs: It is important that FIs apply the risk-based approach properly and do not resort to the wholesale termination or exclusion of customer relationships within the VASP sector without a proper risk assessment.

Unfortunately, the same cannot be said of prohibition by countries: Some countries may decide to prohibit VA activities or VASPs, based on their assessment of risk and national regulatory context or in order to support other policy goals not addressed in this Guidance (e.g., consumer protection, safety and soundness, or monetary policy). The guidance goes on to note that countries that chose to ban VAs and/or VASPs would still need to ensure that sufficient safeguards are in place. This approach did not seem to be encouraged, but that it is explicitly mentioned is interesting of itself, as this is not the case for other asset or regulated entity types.

Margin Notes

We’ve been asked to post the annotated copy of the first read-through of the FATF’s guidance document. The annotations were not created with the expectation of the audience. They’re likely to be hard to read, idiosyncratic, and to clearly reveal that the author is dyslexic… but if they are of use to you, then these notes are yours to use.

Guidance for a Risk-Based Approach to Virtual Assets and Virtual Asset Service Providers Marked Up Copy

Need a Hand?

If you want to understand the regulations that apply to your VA business/VASP, please contact us.

Compliance with laws and regulations is nuanced; we do not practice in all jurisdictions (and quite frankly, we believe that anyone claiming to understand the nuance of AML in every jurisdiction is greatly exaggerating their skill set). If we don’t practice in the places that matter to you, we’ll do our best to connect you with qualified people that do.

The Dos & Donts of Breaking into Blockchain

This article was created by Amber D. Scott & Emma Todd (of MMH Blockchain Group) with writing assistance from Ailsa Bristow.

We go to a lot of events, and the number one thing people keep asking us is how to get into Blockchain. Developers, students, accountants, lawyers… anyone with something to sell.

Our knee-jerk response is if you want to get into blockchain, just get into blockchain. Yes, it’s that simple.

However, that doesn’t seem to be the conversation-stopper we intend it to be, so a more fulsome response is called for. Here are our collected thoughts on how to get involved, along with some tips on how (and how not to) conduct yourself along the way.

Get Involved

First things first: blockchain is, at its heart, a community. The best place to start is to do your research, find a meetup in your city, and start talking to people. Don’t just sit at home reading about blockchain and bitcoin on the internet.

The blockchain community is one of the more welcoming places on the planet. Here are people who are passionate about what they do, committed to the open-source philosophy, and willing to help newbies learn. Sure, it can get technical at times, and that can be intimidating when you don’t have a strong opinion about proof of stake, the latest token, or whether it was ok for Microsoft to buy GitHub… but as long as you don’t pretend to know more than you do, you’ll be fine. These folks will know when you’re bluffing, and they will call you out on it.

If you really want a crash course in blockchain, volunteer either through a meetup or at one of the big blockchain conferences. This is a great way to start meeting people: you could be brushing shoulders with the big names in blockchain before you even know who they are.

Learn The Ropes

As you start your journey into blockchain, spend some time listening. Seriously. Listen more than you talk. It’s hard to learn anything when you’re the one speaking. Be interested, and be genuine: these are the attributes that will earn you credibility in the blockchain space. But don’t just rely on people to be your tour guides: people will get frustrated with you when you ask questions without doing your basic research first (if you want a great list of bitcoin resources go here). And seriously: please don’t email/ DM/ whatever at leaders in the blockchain community asking them questions that you can easily google for yourselves. That’s not how to win friends and influence people, folks.

If you want to be a coder, there are a lot of free learning resources out there. You don’t need to spend $100,000s getting a computer science degree (unless that’s something you want to do otherwise) given the wealth of learning you can do online. Two communities that we love are freeCodeCamp and BlockGeeks. There are also scholarships out there if you are planning on following this route.

Finally, if you’ve been in the blockchain for all of a minute, please, don’t start advertising yourself as an expert before you’ve even had a chance to learn the basics. Two months attending Meetups and some internet reading does not an expert make. Showing up on panels or guesting on blogs before you’ve really had a chance to learn is going to hurt your reputation.

Get Some Skin In the Game

If you’re interested in working with or selling to blockchain companies, get some skin in the game. We’re always shocked whenever a vendor asks us about selling to blockchain companies, and when I ask them if they’ve ever used a blockchain based service, or a cryptocurrency they say no. If you haven’t taken the time to understand the ecosystem, how can you possibly hope to understand your customers? Why should anyone in the blockchain world trust anything you have to say?

It’s fine to start small. Set up a wallet. Buy some Dogecoin (it has much of the same “backbone” as bitcoin) or even a small fraction of a bitcoin (yes, they are divisible). You don’t need to break the bank. You should participate only according to your passion, your risk tolerance, and your knowledge. But you do need to get a feel for how things work, and demonstrate a personal investment.

Prove Your Value

Blockchain is about proving your value. If you come from a background where people are impressed by your education, your resume, who your parents are, or how much money you made, get ready for a reality-check. In the blockchain world, people are interested in learning about what you’re doing that’s cool.

There’s room for all skillsets in blockchain, from traditional accounting to marketing. But don’t come in trying to make the hard sell. Do talk about things you’re doing that’s cool, and be interested in what other people are working on in return.

Be Respectful

Respect people’s time. Do not use people’s names or photos or logos to promote your event without checking with them first. Do not call someone an advisor to your project if you’ve only  spoken to them once. Get explicit agreement from people before plastering their name all over your website.

Also, if you’re chatting to someone and you hear they got into bitcoin X number of years ago, do not ask them a) how much coin they have, b) if they are a millionaire. If you wouldn’t feel comfortable asking for somebody’s bank statement, or the state of their investment portfolio, don’t ask them for the ins and outs of how much money they’ve made from bitcoin. Your curiosity is not a reason to override basic good manners.

Twitter is King

If you want to keep your finger on the pulse of what’s happening in Blockchain, Twitter is the place to be. It’s where news breaks, connections get made, and discussions are had. Follow one or two of the biggest names in Blockchain, follower their followers, and start jumping in.

Fit Matters

Finally, know that not everyone should be in Blockchain. Sure, you’ve heard the buzz and that there’s money to be made, but that doesn’t mean you need to be in this world. If you’re simply chasing money, you’re probably going to end up getting burned.  If you don’t like change and uncertainty, this probably isn’t the place for you. If you don’t have the ability to pivot, this probably isn’t the place for you. If the thought of listening to engineers argue technical points fills you with dread, this probably isn’t the place for you. And if you aren’t at least open to the idea of being converted into a flaming libertarian, we’d suggest this probably isn’t the place for you. And if that’s true, that’s ok.

On the other hand, if nothing we’ve said here has put you off and you’re ready to dive in, welcome. You’re joining one of the most passionate, genuine, smart, and exciting communities on the planet.

Welcome – we’re glad you’re here!

Return to Blog Listing