21 Analytics logo
Request a Demo
inner blog TheLatestFATFTargetedUpdateSummarisedPart2

The Latest FATF Targeted Update Summarised - Part 2

13 Jul, 2023

Since the Financial Action Task Force (FATF) expanded its anti-money laundering and counter-terrorism financing (AML/CFT) standards to include virtual assets and virtual asset service providers (VASPs) four years ago, several major virtual asset markets have started implementing or are in the process of implementing appropriate regulations. However, the slow progress in this regard is worrisome. 

The FATF released its 2023 Targeted Update on Implementation of the FATF Standards on Virtual Assets/VASPs to bring Travel Rule implementations issues to light, discuss the risks posed due to the slow implementation process, and offer guidance and solutions to virtual asset businesses.  

The Update consists of 5 sections; 

  1. Jurisdictions’ implementation of FATF standards on virtual assets and VASPs

  2. Implementation of FATF’s Travel Rule

  3. Market developments and emerging risks

  4. Recommendations for the public and private sectors 

  5. Next steps for the FATF and VACG

In the previous blog, The Latest FATF Targeted Update Summarised - Part 1, we unpacked the implementation status of the FATF’s Travel Rule, the sunrise issue, VASP counterparty due diligence, and common issues with Travel Rule compliance tools (sections 1 and 2 per the Update).

Read: The Latest FATF Targeted Update Summarised - Part 1

Below; we will dive into sections 3 - 5, discussing the FATF’s findings, including the risks associated with virtual assets, DeFi, self-hosted wallets, NFTs and stablecoins. Followed by recommendations to the public and private sectors to mitigate risks, closing with the FATF and VACG’s next steps. 

The Latest FATF Targeted Update Summarised

Market Developments and Emerging Risks

Virtual Assets

Current events like the Democratic People’s Republic of Korea (DPRK) illicit activities involving virtual assets have caused great concern among the United Nations and FATF. These activities were used to finance the proliferation of weapons of mass destruction and the launching of ballistic missiles. 

The DPRK is just one example of a country misusing virtual assets; there have been various cases of cyber criminals using ransomware and other malware campaigns to steal virtual assets.

The scale and consequences of these illicit activities pose a significant threat, requiring urgent action by countries to implement the FATF’s Standards. The use of virtual assets for terrorist financing, including anonymity-enhanced coins, has also been observed, with groups like ISIL and Al Qaeda utilising virtual assets to raise and move funds. The FATF will continue to monitor these trends, particularly the financing of extreme right-wing terrorism through crowdfunding platforms.

Decentralised Finance (DeFi)

DeFi markets have been growing rapidly, with users turning to decentralised exchanges after the collapse of FTX. However, DeFi still plays a minor part in overall virtual asset activity. 

Despite this, many jurisdictions believe it can pose a risk due to its ever-evolving market. To date, several jurisdictions have started a risk assessment focused on DeFi, but have stumbled across a common issue: lack of reliable and complete data.  Additionally, the private sector and VACG members have pointed out uncertainty in labelling DeFi arrangements according to the FATF’s definition of a VASP. 

The FATF found that in the more advanced jurisdictions, for example, those that have implemented the Travel Rule, 37 of the 62 respondents require DeFi to be licensed or registered as a VASP, and 10 are taking steps to identify the risks associated with DeFi. While of the remaining 15, 5 have reported that they are taking other steps, e.g. participating in regional work to monitor risks, and 10 are not taking any action. 

Jurisdictions requiring DeFi to be licensed or registered as a VASP 

Further investigation only reiterated the challenges the private and public sectors face when attempting to identify individuals and entities who control or influence DeFi. 

Of the 37 responding jurisdictions, 27 explained that while they require DeFi arrangements to be licensed or registered as a VASP, they have not identified any that qualify as a VASP. Only 9 jurisdictions have successfully identified unlicensed/unregistered DeFi entities that qualify as VASPs, with 1 jurisdiction confirming that it had registered a DeFi entity as a VASP.

JurisdictionsSuccessinLicensingOrRegisteringDeFiAsaVASP (1)
Jurisdictions’ success in licensing or registering DeFi as a VASP 

Both these images illustrate the difficulties jurisdictions have in identifying DeFi arrangements and determining if they qualify as VASPs. It is important for jurisdictions to adopt a comprehensive approach to risk assessments in the virtual asset ecosystem, considering the interconnected nature of DeFi arrangements, VASPs, self-hosted wallets, and peer-to-peer (P2P) transactions.

Self-hosted Wallets, Including Peer-to-Peer (P2P) Transactions  

Peer-to-peer (P2P) transactions refer to direct transactions between individuals without intermediaries or centralised authorities with AML/CFT obligations. 

In 2021 the FATF conducted a market analysis, and the findings showed that users had not moved away from regulated VASPs to P2P transactions. These numbers remained relatively similar to previous results. However, the analysis suggested that the share of illicit transactions might be higher in P2P transactions than the ones involving VASPs, although data variations reduced confidence in these findings. 

It is speculated that self-hosted wallets could pose specific risks related to money laundering, terrorist financing, and proliferation financing due to their pseudo-anonymous nature. In such scenarios, actors, including sanctioned individuals, could use illicit proceeds in virtual assets to sustain their activities without encountering a VASP or financial institution with AML/CFT obligations.

Although FATF Standards do not cover P2P transactions, the implementation of these standards can still play a crucial role in mitigating illicit finance risks associated with P2P transactions and self-hosted wallets. 

The FATF 2021 Guidance offers various options for jurisdictions to address these risks, such as improving market metrics and risk mitigation solutions for P2P transactions, using blockchain analytics tools, and imposing additional AML/CFT requirements on VASPs that facilitate transactions with non-obliged entities.

Non-fungible Tokens (NFTs)

Although there has been a decrease in the risks NFTs pose, they have still been labelled as a potential risk area for money laundering. 

Jurisdictions with an advanced VASP regulation regime are monitoring NFTs as virtual assets. Yet, others have not ascertained their regulatory path, as NFTs can be regulated in various ways depending on their functionality.  (NFTs can function as cultural objects, tokenised versions of tangible goods like real estate, etc.)

Other Market Developments (Stablecoins etc.) 

With the increased adoption of virtual assets - including stablecoins - the use of ML/TF obliged entities for transactions could reduce. Additionally, there has been an increase in traditional financial institutions, like banks, entering the virtual assets market. 

Participants in the market are examining how these players and VASPs can work together to mitigate the risks of ML/TF by leveraging their knowledge and practices from the traditional financial system.  These developments and collaborations will be further explored and monitored by the FATF. 

Recommendations for the Public Sector 

With a focus on risk assessment, mitigation and licensing/registration, jurisdictions that have not assessed the risks associated with virtual assets and VASPs are urged to use the FATF’s 2021 Guidance to recognise the risks and set up risk prevention measures. 

Moreover, jurisdictions must continually monitor VASPs within their domain to safeguard against non-compliance and illicit VASPs. The FATF highlighted the implementation of the Travel Rule to aid this process. 

DeFi should also be focused on - jurisdictions must consider how DeFi institutions are classified according to their AML/CFT frameworks. On top of this, self-hosted wallets and P2P transactions are to be monitored to mitigate any associated risks. 

In closing, the FATF strongly urges the implementation of the Travel Rule. Regions that are in the process of implementation need to speed up their regime, and those that haven’t should do so immediately to hinder risks.

Recommendations for the Private Sector 

The FATF advises VASPs and Travel Rule solution providers to ensure that the compliance tool being used or offered fully complies with the FATF’s requirements and improve the solution’s interoperability with other Travel Rule solutions.  

Like the public sector, the private is also urged to implement risk prevention measures and monitor and mitigate the risks associated with P2P transactions and self-hosted wallets. These measures should be in line with the Travel Rule.  

Next Steps for the FATF and VACG

To speed up the implementation of the Travel Rule, the FATF and VACG will assist low-capacity jurisdictions in need of guidance. This includes: 

  • Sharing Travel Rule material, which includes training, regulations, guidance and risk assessment and any other information that will speed up the adoption of the Travel Rule. 

  • Providing technical guidance, specifically in previously identified challenge areas.

  • Providing support in the form of forums, workshops and webinars. 

  • Collaborating with other players to improve Travel Rule implementation. 

Read: FATF Virtual Assets Contact Group (VACG): 21’s Takeaways

The FATF has confirmed that it will continue to monitor 

  • The global adoption of the Travel Rule and share its findings in its next Targetted Update in 2024.

  • The market, to stay on top of changes and risks. “The market” includes DeFi, self-hosted wallets, P2P transactions, and activities by sanctioned parties. These findings will also be shared with the ecosystem. 

In Conclusion 

In light of the FATF’s findings, 21 Analytics agrees wholeheartedly with the FATF that through the global implementation of the Travel Rule, a standard can be reached which will resolve the issues mentioned above and in our previous blog

To support easier Travel Rule adoption, 21 Analytics has issued several materials, including joint articles with EY, guides, online events and workshops on the topic. Sign up here to be kept in the loop.

We also believe that through the implementation of the correct Travel Rule solution, VASPs can further mitigate risks and be content that they have complied with the Travel Rule.

Our Travel Rule solution is the only one that is 100% GDPR-compliant out-of-the-box since it runs on-premises, entirely under the control of the VASP licensing it. Being unique, 21 Travel Rule also supports compliance for VASPs transacting with self-hosted wallets, a feature lacking in most other solutions - as mentioned by the FATF in this document’s Recommendations for the Private Sector.

That’s why we stand behind our solution, 21 Travel Rule

Request a Demo
Written by:
21Author (3)
The Content Team
Just like our Travel Rule solution, our website also respects your privacy. That is why we don't use any tracking cookies.
Ok, nice!