The Latest FATF Targeted Update Explained for VASPs
The FATF’s Targeted Update can be divided into 3 main sections:
State of Public Sector Implementation of FATF Standards for VAs / VASPS,
State of Implementation of FATF’s Travel Rule, and
Updates on Market Developments and Emerging Risks.
Let’s unpack the new regulations as per these sections.
1. State of Public Sector Implementation of FATF Standards for VAs / VASPS
This section focuses on the adoption of Recommendation 15, which has also been notably slow in various jurisdictions.
Recommendation 15 requires countries to apply a risk-based AML/CFT approach - they are to monitor, supervise and regulate VASPS and other financial institutions. VASPs are to perform customer due diligence (CDD) checks and politically exposed person (PEP) screening.
For this blog post, we will focus on the implementation of the Travel Rule. To date, most jurisdictions have not implemented the FATF’s Recommendation 16. In March 2022, it was determined that of the 98 corresponding jurisdictions;
29 jurisdictions had passed the Travel Rule legislation,
11 had started enforcement and supervisory measures,
a quarter are in the process of passing the relevant legislation,
36 have not done anything to comply.
2. State of Implementation of FATF’s Travel Rule
The Sunrise Issue
Due to the inconsistencies in the implementation of the Travel Rule across jurisdictions, VASPs have been facing the sunrise issue. The sunrise issue poses various challenges to VASPs interacting with foreign counterparties who have different Travel Rule requirements.
These differences include de minimis thresholds, transactions with unhosted wallets (self-hosted wallets), and data privacy requirements.
To counteract this issue, many jurisdictions have provided guidelines for domestic VASPs interacting with foreign unlicensed or unregistered VASPs on how to transact when confronted with the sunrise issue.
The following guidelines have been developed:
22 of the 32 jurisdictions allow domestic VASPs to transact with any foreign VASP, whether they are licenced/registered or not,
Others require domestic VASPs to limit transfers only to those that have adopted Travel Rule and/or are licensed.
Regarding the submission of Travel Rule information:
most jurisdictions require domestic VASPs to apply the Travel Rule with all foreign VASPs, irrespective of the VASP being registered or having similar Travel Rule requirements,
other jurisdictions have limited Travel Rule requirements to only licenced/registered counterparts with similar requirements,
some jurisdictions have opted to leave the decision to the participating VASPs; the deciding factor would be based on the ML/TF risks of the counterparty.
In October 2021, the FATF released an Updated Guidance that clarified how the Travel Rule would apply to unhosted wallets.
As per the FATF, originating VASPs must submit the specified information to the beneficiary VASP securely. It is noted that in the event that a VASP cannot protect the required information, exceptions can be granted.
In the Updated Guidance, the FATF specified that VASPs do not need to submit collected Travel Rule data from unhosted wallets but do need to collect the required originator and beneficiary information on unhosted wallets from their own customer for risk mitigation.
With these standards in mind,
most jurisdictions have adopted the approach outlined in the FATF’s Updated Guidance by requiring VASPs to collect relevant beneficiary information on unhosted wallets from their own customer,
a few jurisdictions will require VASPs to apply additional mitigation measures, such as verifying the wallet owner or performing EDD.
lastly, some jurisdictions currently require VASPs to make use of blockchain analytics but recognise limitations in the approach.
De Minimis Thresholds:
As per the FATF’s recommendations, jurisdictions may choose to adopt a de minimis threshold of EUR 1000 or lower.
VASPs are required to collect the following data when transacting over such a threshold:
the virtual asset wallet address, or unique transaction reference number for both,
if the transaction under the threshold is suspected of ML/TF, this information needs to be verified.
Within this context, it was found that of the 35 responding jurisdictions:
19 indicated that they would keep the EUR 1000 threshold,
12 do not plan to introduce a de minimis threshold,
2 have introduced a higher threshold than EUR 1000 and 2 a lower threshold.
3. Updates on Market Developments and Emerging Risks
There has been an increasing concern about DeFi and NFTs as it is believed that these avenues pose a challenge to implementing the FATF’s Travel Rule.
DeFi and NFTs
DeFi and NFT markets have been growing in rapid spurts over the last year. While no exact numbers have been produced regarding criminal misuse, these markets are believed to provide a channel for illicit financing.
Regarding DeFi, as per the FATF’s Updated Guidance (October 2021), the FATF standard does not apply to software. However, it does apply to the users thereof, such as VASPs.
Hence, the FATF will continue to monitor the developments in DeFi and facilitate the implementation of AML/CFT practices.
With regards to NFTs, jurisdictions are encouraged to apply the FATF’s Standards on virtual assets when the NFT functions as such.
The FATF is still monitoring the topic of Peer-to-Peer (P2P) payments. It is believed that P2P transactions can be used to navigate around FATF Recommendations. For instance, transfers using non-compliant VASPs and unhosted wallets.
Sanctions Evasion has also been addressed. It is believed that training and rapid implementation of the Travel Rule will aid in effective sanction screening.
The FATF is aware of the continued threat of criminal organisations misusing virtual assets through ransomware attacks.
Criminals mostly rely on non-compliant VASPs but also use compliant VASPs post-laundering to cash out the assets. The FATF firmly believes that to prevent such acts, the Travel Rule needs to be implemented to ensure proper screening techniques for VASPs. Moreover, VASPs are encouraged to use blockchain analytics to help track ransomware-related activities where possible.
Although the FATF’s update provided a clear picture of the Travel Rule status, many grey areas remain. It is recommended that jurisdictions apply the FATF’s standards for virtual asset transactions, but jurisdictions are still left to decide if they wish to go above what is expected from the FATF.
Additionally, it has been noted that Travel Rule solutions are currently implemented within specific countries rather than globally or across regions.
If jurisdictions go beyond the expectations of the FATF, it creates an additional compliance workload for VASPs transacting with them.
Around 20% of jurisdictions signalled that they intended to request additional information to assist VASPs in detecting ML/TF risks and meet AML/CFT requirements. These additional requirements include the purpose of the transfer, the source of the virtual asset funds and the beneficiary’s address.
The industry has also expressed its growing concerns about data privacy when meeting the above requirements. VASPs fear that collecting and storing such information could lead to data leaks.
Furthermore, jurisdictions and the industry are unsure which technological solution or combination of solutions should be chosen to meet FATF and local compliance obligations.
The FATF has advised that they will continue monitoring the topic to ensure data privacy and security and have explicitly highlighted the need to accelerate global efforts, to implement the Travel Rule to prevent nuances across jurisdictions.
21 Analytics’ Solution
21 Analytics agrees wholeheartedly with the FATF that through the global implementation of the Travel Rule, a standard can be reached which will resolve the issues mentioned above.
While the FATF is pushing for implementation, it can be assumed that the sunrise issue will not be resolved within the following year. Moreover, data leaks are a reality, as well as jurisdictions going beyond the basic FATF requirements. Sanctions evasion and ransomware attacks are issues that compliance officers need to be aware of.
To remedy these concerns, we suggest choosing a provider that can solve them using one platform. The 21 Travel Rule and its extensions do just that.
With our product, VASPs are able to transact with countries who have or haven’t implemented the Travel Rule, making the sunrise issue not so much of an issue anymore.
Being an on-premises solution, data leaks are minimised since the sensitive data required for Travel Rule compliance is not shared with an additional party - the Travel Rule solution provider. When adding a centralised or SaaS solution to their workflows, VASPs also enlarge their data privacy risks since those parties have access to the transacted data.