This article walks regulators through some best practices recommended by the Financial Action Task Force (FATF) to monitor virtual asset service providers (VASPs) in their 2021 draft guidance.
TL;DR
- VASPs must be licensed or registered in their jurisdiction of incorporation. Licensed or registered VASPs must be required to comply with AML/CFT regulations.
- VASPs must be required to conduct customer due diligence (CDD) on a risk basis to identify users. Where the money laundering risk is high, they must take enhanced due diligence (EDD) measures.
- The travel rule requires mediating VASPs to hold and share information about the users involved in a transaction with each other. The transfer of information must be done immediately and securely.
- Other recommendations include requiring VASPS to screen for sanctions violations and politically exposed persons.
Licensing or Registering VASPs
According to the FATF, VASPs should, at minimum, be required to be licensed or registered in the jurisdiction where they were created. This registration can be done by incorporating the company, allocating a company tax number to the VASP, or any other similar mechanism. Although not imperative to meet FATF standards, VASPs may be required to register in the jurisdiction(s) they operate. This may be useful in mitigating risk since most VASPs have their user bases spread out across many jurisdictions. Countries should designate one or more authorities to be responsible for licensing and/or registering VASPs.
A set of relevant criteria can be used to determine if a VASP is operating or providing services in your jurisdiction. This can include looking at the location of offices/servers, the countries they target in their promotions, the language of the VASP’s website, etc. FATF recommends national authorities ensure that appropriate channels are in place to notify VASPs of their obligation to register or apply for a license. An authority should also be designated to identify and sanction unlicensed or unregistered VASPs.
The licensing or registration criteria give the authorities confidence that the VASP has sufficient Anti-Money Laundering (AML) and Countering the Financing of Terrorism (CFT) procedures in place to comply with their obligations. Moreover, the authorities should have in place measures to ensure that criminals or their associates are prevented from holding a significant or controlling interest, or holding a management function in a VASP. VASPs should require prior approval from the authorities before making any substantive changes in shareholders, business operations or structures.
Customer Due Diligence
Countries should ensure that VASPs have effective customer due diligence (CDD) procedures to identify and verify a customer’s identity on a risk basis. VASPs can collect CDD information when establishing business relations with a customer when suspicions of Money Laundering (ML) or Terrorist Financing (TF) arise or when there is doubts about the veracity or adequacy of previously obtained identification data. When carrying out an occasional transaction, the designated threshold above which VASPs are required to conduct CDD is USD/EUR 1,000. However, keeping the ML/TF risk in mind, authorities may set a lower threshold. Any CDD information that VASPs obtain should be kept up-to-date by frequently reviewing existing records, particularly for high-risk customers.
FATF also recommends countries oblige VASPs to take Enhanced Due Diligence (EDD) measures when faced with a higher ML/TF risk. This can be when they are dealing with customers from a country or geographical area that:
- is identified by a credible source to have high terrorist funding activity or significant levels of organized crime, corruption, or other criminal activity, including source or transit countries for illegal drugs, human trafficking, smuggling, and illegal gambling;
- have sanctions, embargoes or similar measures issued by international organizations such as the UN; or
- is identified by credible sources as having weak governance, law enforcement, and regulatory regimes, including countries identified by the FATF statements as having weak AML/CFT regimes.
EDD measures to deal with these and other such cases include:
- corroborating the identity information received from the customer, such as a national identity number, with information in third-party databases or other reliable sources;
- potentially tracing the customer’s IP address;
- the use of analysis products, such as blockchain analytics; and
- searching the Internet for corroborating activity information consistent with the customer’s transaction profile, provided that the data collection is in line with national privacy legislation.
Countries may also ask VASPs to collect additional information when dealing with a high ML/TF risk customer or transaction. Additional information includes the purpose of transactions, source of funds, details of the end-use and end-user, etc.
FATF also requires countries to ensure that VASPs maintain all records of transactions and CDD measures for at least five years in such a way that individual transactions can be reconstructed to swiftly obtain specific information that can then be provided to the relevant authority.
The Travel Rule
The travel rule requires countries to ensure that the ordering VASP obtains and holds the required information about the originator and the beneficiary and submits this information to the beneficiary VASP, who is also required to hold this information.
The ordering VASP must obtain and hold the following information:
- The originator’s verified name and wallet address
- The originator’s physical address, national ID number and/or any other identifying information
- Beneficiary’s name (not required to be verified for accuracy by the ordering VASP) and wallet address
The beneficiary VASP must obtain and hold the following information:
- The originator’s name (not required to be verified for accuracy by the beneficiary VASP) and wallet address
- The originator’s physical address, national ID number and/or any other identifying information
- The beneficiary’s verified name and wallet address (the beneficiary VASP must compare the beneficiary’s verified name with the information they obtained from the ordering VASP to see if it matches)
This transfer of information must be immediate and secure so that it can match the speed of the transfer itself. Post facto submission of information should not be permitted, i.e. it should reach the beneficiary VASP before or along with the virtual asset transfer itself.
Countries may choose to adopt a threshold of USD/EUR 1,000 for virtual asset transfers for the above requirements to kick in. If they do so, for transfers that are below the threshold, the VASPs should only be required to collect the names and wallet addresses of both parties. This information need not be verified unless suspicious circumstances arise.
Other Recommendations
Some other recommendations include requiring VASPs to:
- screen for sanctions violations to ensure that they do not transact with a designated person or entity in any capacity;
- identify and conduct due diligence on counterparty VASPs before sending any information to them; and
- screen customers and beneficial owners to verify if they are foreign politically exposed persons or if they are related to one.
The BIG team has gone through the latest guidance draft issued by FATF to highlight the pertinent points for regulators, VASPs and other interested parties. Subscribe to our blog to stay updated in the space. To read the entire draft guidance document, click here.
